I'm setting up a user account system on my web site. The SO consensus seem to be reflected in this SO question/article. It recommends this approach by Charles Miller to store the username and a large random number 1) in a cookie and 2) in a separate table in the DB. The user can be reauthenticated in each subsequent session by querying this table using the cookie (if it exists). If a match is found, then a new $_SESSION
is set for that session. It supports simultaneous logins from different computers.
My question...
Prior to reading security questions on SO, I was thinking about storing user information in a way similar to the way vBulletin does it. As I understand it, they store the user id and the hashed password in separate cookies on the user's browser.
After the user logs in, they use a $_SESSION
variable (e.g. something like $_SESSION['user_hash']
) to maintain the authentication for each page request. I don't have access to vBulletin software, but I assume that $_SESSION['user_hash']
is maintained in a separate MySQL table along with another piece of identifying information - e.g. user id/password hash/other - in order to enable logins from different computers.
I was thinking about creating the hash by doing this:
$_SESSION['user_hash'] = $random_hash = sha1(uniqid(rand(), true));
For future sessions, if $_SESSION['user_hash']
does not exist, then those two cookies can be used to auto-login this person for a new session. I would plan on implementing the $_SESSION
security measures outlined in this SO question .
Is the vBulletin approach acceptable from a security standpoint? If storing the user id and the hashed password in a cookie is problematic, would encrypting them alleviate some security concerns? Or could something else be done to secure the cookies?
Thanks for any suggestions.