Simple login form with cookies

> Hello everyone,
>
> I am trying to create a PHP login script using cookies but am having some
> troubles. Here is my setup
>
>     index.php -> authenticate.php -> admin.php
>
> I want a login form on index.php that allows me to login with my username
> and password and then passes $_POST['username'] and $_POST['password'] to
> authenticate.php
>
> Then authenticate.php authenticates against a database of allowed users
> (Which I already have setup and it works fine), if a valid user has
> entered the correct information then admin.php is loaded...
>
> header("location:admin.php");
>
> ...the admin.php code would look something like the following..
>
> Code: [Select]
> <?php
> if (isset($_COOKIE['username'])) {
> echo "success!";
> } else {
> echo "Failure";
> }
> ?>
>
> So basically I think I need to create a cookie from index.php OR
> authenticate.php and then pass the information to admin.php.
> I set the cookie like this...
>
> setcookie("Admin", $username);
>
> Which file(index.php OR authenticate.php) do I create the cookie and how
> do I access the information in the cookie on admin.php?

> Hello everyone,
>
> I am trying to create a PHP login script using cookies but am having some
> troubles. Here is my setup
>
>     index.php -> authenticate.php -> admin.php
>
> I want a login form on index.php that allows me to login with my username
> and password and then passes $_POST['username'] and $_POST['password'] to
> authenticate.php
>
> Then authenticate.php authenticates against a database of allowed users
> (Which I already have setup and it works fine), if a valid user has
> entered the correct information then admin.php is loaded...
>
> header("location:admin.php");
>
> ...the admin.php code would look something like the following..
>
> Code: [Select]
> <?php
> if (isset($_COOKIE['username'])) {
> echo "success!";
> } else {
> echo "Failure";
> }
> ?>
>
> So basically I think I need to create a cookie from index.php OR
> authenticate.php and then pass the information to admin.php.
> I set the cookie like this...
>
> setcookie("Admin", $username);
>
> Which file(index.php OR authenticate.php) do I create the cookie and how
> do I access the information in the cookie on admin.php?
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

>> Hello everyone,
>>
>> I am trying to create a PHP login script using cookies but am having
>> some
>> troubles. Here is my setup
>>
>>     index.php -> authenticate.php -> admin.php
>>
>> I want a login form on index.php that allows me to login with my
>> username
>> and password and then passes $_POST['username'] and $_POST['password']
>> to
>> authenticate.php
>>
>> Then authenticate.php authenticates against a database of allowed users
>> (Which I already have setup and it works fine), if a valid user has
>> entered the correct information then admin.php is loaded...
>>
>> header("location:admin.php");
>>
>> ...the admin.php code would look something like the following..
>>
>> Code: [Select]
>> <?php
>> if (isset($_COOKIE['username'])) {
>> echo "success!";
>> } else {
>> echo "Failure";
>> }
>> ?>
>>
>> So basically I think I need to create a cookie from index.php OR
>> authenticate.php and then pass the information to admin.php.
>> I set the cookie like this...
>>
>> setcookie("Admin", $username);
>>
>> Which file(index.php OR authenticate.php) do I create the cookie and how
>> do I access the information in the cookie on admin.php?
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> I finally got it working. I needed to setcookie() in login.php. Also, the

> names of the cookies(Using setcookie()) where wrong (The names where
> "Admin" when they should have been "adminuser" and "adminpass") Once I
> fixed that then the following worked in admin.php...
> <?php
> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) {
> echo "Success";
> } else {
> echo "Failed";
> }
> ?>
>

>> Hello everyone,
>>
>> I am trying to create a PHP login script using cookies but am having some
>> troubles. Here is my setup
>>
>>     index.php -> authenticate.php -> admin.php
>>
>> I want a login form on index.php that allows me to login with my username
>> and password and then passes $_POST['username'] and $_POST['password'] to
>> authenticate.php
>>
>> Then authenticate.php authenticates against a database of allowed users
>> (Which I already have setup and it works fine), if a valid user has
>> entered the correct information then admin.php is loaded...
>>
>> header("location:admin.php");
>>
>> ...the admin.php code would look something like the following..
>>
>> Code: [Select]
>> <?php
>> if (isset($_COOKIE['username'])) {
>> echo "success!";
>> } else {
>> echo "Failure";
>> }
>> ?>
>>
>> So basically I think I need to create a cookie from index.php OR
>> authenticate.php and then pass the information to admin.php.
>> I set the cookie like this...
>>
>> setcookie("Admin", $username);
>>
>> Which file(index.php OR authenticate.php) do I create the cookie and how
>> do I access the information in the cookie on admin.php?
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
> I finally got it working. I needed to setcookie() in login.php. Also, the
> names of the cookies(Using setcookie()) where wrong (The names where
> "Admin" when they should have been "adminuser" and "adminpass") Once I
> fixed that then the following worked in admin.php...
> <?php
> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) {
> echo "Success";
> } else {
> echo "Failed";
> }
> ?>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson<jason@...> wrote:
>>> Hello everyone,
>>>
>>> I am trying to create a PHP login script using cookies but am having
>>> some
>>> troubles. Here is my setup
>>>
>>>     index.php -> authenticate.php -> admin.php
>>>
>>> I want a login form on index.php that allows me to login with my
>>> username
>>> and password and then passes $_POST['username'] and $_POST['password']
>>> to
>>> authenticate.php
>>>
>>> Then authenticate.php authenticates against a database of allowed users
>>> (Which I already have setup and it works fine), if a valid user has
>>> entered the correct information then admin.php is loaded...
>>>
>>> header("location:admin.php");
>>>
>>> ...the admin.php code would look something like the following..
>>>
>>> Code: [Select]
>>> <?php
>>> if (isset($_COOKIE['username'])) {
>>> echo "success!";
>>> } else {
>>> echo "Failure";
>>> }
>>> ?>
>>>
>>> So basically I think I need to create a cookie from index.php OR
>>> authenticate.php and then pass the information to admin.php.
>>> I set the cookie like this...
>>>
>>> setcookie("Admin", $username);
>>>
>>> Which file(index.php OR authenticate.php) do I create the cookie and
>>> how
>>> do I access the information in the cookie on admin.php?
>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>> I finally got it working. I needed to setcookie() in login.php. Also,
>> the
>> names of the cookies(Using setcookie()) where wrong (The names where
>> "Admin" when they should have been "adminuser" and "adminpass") Once I
>> fixed that then the following worked in admin.php...
>> <?php
>> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) {
>> echo "Success";
>> } else {
>> echo "Failed";
>> }
>> ?>
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> You're not storing anything usable in the adminpass cookie, are you?
> It sort of sounds like you're storing a password, or even a passhash,
> in the cookie and you might want to rethink what that cookie contains
> to prevent session hijacking.
>

>> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson<jason@...> wrote:
>>>> Hello everyone,
>>>>
>>>> I am trying to create a PHP login script using cookies but am having
>>>> some
>>>> troubles. Here is my setup
>>>>
>>>>     index.php -> authenticate.php -> admin.php
>>>>
>>>> I want a login form on index.php that allows me to login with my
>>>> username
>>>> and password and then passes $_POST['username'] and $_POST['password']
>>>> to
>>>> authenticate.php
>>>>
>>>> Then authenticate.php authenticates against a database of allowed users
>>>> (Which I already have setup and it works fine), if a valid user has
>>>> entered the correct information then admin.php is loaded...
>>>>
>>>> header("location:admin.php");
>>>>
>>>> ...the admin.php code would look something like the following..
>>>>
>>>> Code: [Select]
>>>> <?php
>>>> if (isset($_COOKIE['username'])) {
>>>> echo "success!";
>>>> } else {
>>>> echo "Failure";
>>>> }
>>>> ?>
>>>>
>>>> So basically I think I need to create a cookie from index.php OR
>>>> authenticate.php and then pass the information to admin.php.
>>>> I set the cookie like this...
>>>>
>>>> setcookie("Admin", $username);
>>>>
>>>> Which file(index.php OR authenticate.php) do I create the cookie and
>>>> how
>>>> do I access the information in the cookie on admin.php?
>>>>
>>>>
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>> I finally got it working. I needed to setcookie() in login.php. Also,
>>> the
>>> names of the cookies(Using setcookie()) where wrong (The names where
>>> "Admin" when they should have been "adminuser" and "adminpass") Once I
>>> fixed that then the following worked in admin.php...
>>> <?php
>>> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) {
>>> echo "Success";
>>> } else {
>>> echo "Failed";
>>> }
>>> ?>
>>>
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>
>> You're not storing anything usable in the adminpass cookie, are you?
>> It sort of sounds like you're storing a password, or even a passhash,
>> in the cookie and you might want to rethink what that cookie contains
>> to prevent session hijacking.
>>
> Yeah, I am storing an unencrypted password in the cookie. Should I encrypt
> it, if so how, if not what should I do?
>
> I am new to programming and PHP web development so I am not aware of all
> the security problems that can occur.
>
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

> On Mon, Jul 6, 2009 at 2:01 AM, Jason Carson<jason@...> wrote:
>>> On Mon, Jul 6, 2009 at 1:45 AM, Jason Carson<jason@...>
>>> wrote:
>>>>> Hello everyone,
>>>>>
>>>>> I am trying to create a PHP login script using cookies but am having
>>>>> some
>>>>> troubles. Here is my setup
>>>>>
>>>>>     index.php -> authenticate.php -> admin.php
>>>>>
>>>>> I want a login form on index.php that allows me to login with my
>>>>> username
>>>>> and password and then passes $_POST['username'] and
>>>>> $_POST['password']
>>>>> to
>>>>> authenticate.php
>>>>>
>>>>> Then authenticate.php authenticates against a database of allowed
>>>>> users
>>>>> (Which I already have setup and it works fine), if a valid user has
>>>>> entered the correct information then admin.php is loaded...
>>>>>
>>>>> header("location:admin.php");
>>>>>
>>>>> ...the admin.php code would look something like the following..
>>>>>
>>>>> Code: [Select]
>>>>> <?php
>>>>> if (isset($_COOKIE['username'])) {
>>>>> echo "success!";
>>>>> } else {
>>>>> echo "Failure";
>>>>> }
>>>>> ?>
>>>>>
>>>>> So basically I think I need to create a cookie from index.php OR
>>>>> authenticate.php and then pass the information to admin.php.
>>>>> I set the cookie like this...
>>>>>
>>>>> setcookie("Admin", $username);
>>>>>
>>>>> Which file(index.php OR authenticate.php) do I create the cookie and
>>>>> how
>>>>> do I access the information in the cookie on admin.php?
>>>>>
>>>>>
>>>>> --
>>>>> PHP General Mailing List (http://www.php.net/)
>>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>>
>>>>>
>>>> I finally got it working. I needed to setcookie() in login.php. Also,
>>>> the
>>>> names of the cookies(Using setcookie()) where wrong (The names where
>>>> "Admin" when they should have been "adminuser" and "adminpass") Once I
>>>> fixed that then the following worked in admin.php...
>>>> <?php
>>>> if (isset($_COOKIE['adminuser']) && isset($_COOKIE['adminpass'])) {
>>>> echo "Success";
>>>> } else {
>>>> echo "Failed";
>>>> }
>>>> ?>
>>>>
>>>>
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>>
>>> You're not storing anything usable in the adminpass cookie, are you?
>>> It sort of sounds like you're storing a password, or even a passhash,
>>> in the cookie and you might want to rethink what that cookie contains
>>> to prevent session hijacking.
>>>
>> Yeah, I am storing an unencrypted password in the cookie. Should I
>> encrypt
>> it, if so how, if not what should I do?
>>
>> I am new to programming and PHP web development so I am not aware of all
>> the security problems that can occur.
>>
>>
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>
> That's an enormous question without an easy, or even a correct answer.
>  I'd start by googling around for "session hijacking."  One of the
> things that's probably not PC to say, is don't learn to prevent
> session hijacking, learn to hijack sessions.  Once you know how to
> hijack a session, you can audit your own code and fix the security
> holes.
>
> Although the best advice would probably be to find someone else's
> session implementation and use that, seeing as there's no real reason
> to recreate such a worn-in wheel.
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

> On Mon, Jul 6, 2009 at 02:19, Jason Carson<jason@...> wrote:
>>>
>> ok, I have two sets of scripts here. One uses setcookie() for logging
>> into
>> the admin panel and the other uses session_start(). Both are working
>> fine,
>> is one more secure than the other?
>
>     $_COOKIE data is written to a file that is readable/writeable and
> stored on the user's side of things.  $_SESSION data is written to the
> server, with a cookie stored on the user's side containing just the
> PHPSESSID (session ID) string to identify the session file on the
> server.
>
>     So determining which is better and/or more secure is really a
> matter of the data held there and how it's handled.  If storing things
> like usernames or you absolutely want to store personal data in an
> active session, do so in $_SESSION.  If you're storing a password or
> credit card number in the active session, you may as well do it in
> $_COOKIE, because you're already using an insecure model.  ;-P
>
> --
> </Daniel P. Brown>
> daniel.brown@... || danbrown@...
> http://www.parasane.net/ || http://www.pilotpig.net/
> Check out our great hosting and dedicated server deals at
> http://twitter.com/pilotpig
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

>> On Mon, Jul 6, 2009 at 02:19, Jason Carson<jason@...> wrote:
>>    
>>> ok, I have two sets of scripts here. One uses setcookie() for logging
>>> into
>>> the admin panel and the other uses session_start(). Both are working
>>> fine,
>>> is one more secure than the other?
>>>      
>>     $_COOKIE data is written to a file that is readable/writeable and
>> stored on the user's side of things.  $_SESSION data is written to the
>> server, with a cookie stored on the user's side containing just the
>> PHPSESSID (session ID) string to identify the session file on the
>> server.
>>
>>     So determining which is better and/or more secure is really a
>> matter of the data held there and how it's handled.  If storing things
>> like usernames or you absolutely want to store personal data in an
>> active session, do so in $_SESSION.  If you're storing a password or
>> credit card number in the active session, you may as well do it in
>> $_COOKIE, because you're already using an insecure model.  ;-P
>>
>> --
>> </Daniel P. Brown>
>> daniel.brown@... || danbrown@...
>> http://www.parasane.net/ || http://www.pilotpig.net/
>> Check out our great hosting and dedicated server deals at
>> http://twitter.com/pilotpig
>>
>> --
>> PHP General Mailing List (http://www.php.net/)
>> To unsubscribe, visit: http://www.php.net/unsub.php
>>
>>
>>    
> Well I'm a newbie when it comes to PHP and programming. I guess I need to
> read up on login security. Do you know of, or recommend, any websites that
> will show me how to secure my login model (Using cookies or sessions).
>
>  

> Jason Carson wrote:
>>> On Mon, Jul 6, 2009 at 02:19, Jason Carson<jason@...> wrote:
>>>
>>>> ok, I have two sets of scripts here. One uses setcookie() for logging
>>>> into
>>>> the admin panel and the other uses session_start(). Both are working
>>>> fine,
>>>> is one more secure than the other?
>>>>
>>>     $_COOKIE data is written to a file that is readable/writeable and
>>> stored on the user's side of things.  $_SESSION data is written to the
>>> server, with a cookie stored on the user's side containing just the
>>> PHPSESSID (session ID) string to identify the session file on the
>>> server.
>>>
>>>     So determining which is better and/or more secure is really a
>>> matter of the data held there and how it's handled.  If storing things
>>> like usernames or you absolutely want to store personal data in an
>>> active session, do so in $_SESSION.  If you're storing a password or
>>> credit card number in the active session, you may as well do it in
>>> $_COOKIE, because you're already using an insecure model.  ;-P
>>>
>>> --
>>> </Daniel P. Brown>
>>> daniel.brown@... || danbrown@...
>>> http://www.parasane.net/ || http://www.pilotpig.net/
>>> Check out our great hosting and dedicated server deals at
>>> http://twitter.com/pilotpig
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>>
>> Well I'm a newbie when it comes to PHP and programming. I guess I need
>> to
>> read up on login security. Do you know of, or recommend, any websites
>> that
>> will show me how to secure my login model (Using cookies or sessions).
>>
>>
> Hi Jason,
> I'm probably not any wiser than you, but I have just (today) discovered
> an interesting site that seems to have some really clear explanations
> and tutorials re php, MySsql et al.
> It's worth looking at (I'm trying to implement something like what you
> are, as well):
> http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html
> HTH,
> PJ
>
> --
> Hervé Kempf: "Pour sauver la planète, sortez du capitalisme."
> -------------------------------------------------------------
> Phil Jourdan --- pj@...
>    http://www.ptahhotep.com
>    http://www.chiccantine.com/andypantry.php
>
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>

> Jason Carson wrote:
>  
>>> On Mon, Jul 6, 2009 at 02:19, Jason Carson<jason@...> wrote:
>>>    
>>>      
>>>> ok, I have two sets of scripts here. One uses setcookie() for logging
>>>> into
>>>> the admin panel and the other uses session_start(). Both are working
>>>> fine,
>>>> is one more secure than the other?
>>>>      
>>>>        
>>>     $_COOKIE data is written to a file that is readable/writeable and
>>> stored on the user's side of things.  $_SESSION data is written to the
>>> server, with a cookie stored on the user's side containing just the
>>> PHPSESSID (session ID) string to identify the session file on the
>>> server.
>>>
>>>     So determining which is better and/or more secure is really a
>>> matter of the data held there and how it's handled.  If storing things
>>> like usernames or you absolutely want to store personal data in an
>>> active session, do so in $_SESSION.  If you're storing a password or
>>> credit card number in the active session, you may as well do it in
>>> $_COOKIE, because you're already using an insecure model.  ;-P
>>>
>>> --
>>> </Daniel P. Brown>
>>> daniel.brown@... || danbrown@...
>>> http://www.parasane.net/ || http://www.pilotpig.net/
>>> Check out our great hosting and dedicated server deals at
>>> http://twitter.com/pilotpig
>>>
>>> --
>>> PHP General Mailing List (http://www.php.net/)
>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>
>>>
>>>    
>>>      
>> Well I'm a newbie when it comes to PHP and programming. I guess I need to
>> read up on login security. Do you know of, or recommend, any websites that
>> will show me how to secure my login model (Using cookies or sessions).
>>
>>  
>>    
> Hi Jason,
> I'm probably not any wiser than you, but I have just (today) discovered
> an interesting site that seems to have some really clear explanations
> and tutorials re php, MySsql et al.
> It's worth looking at (I'm trying to implement something like what you
> are, as well):
> http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html
> HTH,
> PJ
>
>  

> PJ wrote:
>  
>> Jason Carson wrote:
>>  
>>    
>>>> On Mon, Jul 6, 2009 at 02:19, Jason Carson<jason@...> wrote:
>>>>    
>>>>      
>>>>        
>>>>> ok, I have two sets of scripts here. One uses setcookie() for logging
>>>>> into
>>>>> the admin panel and the other uses session_start(). Both are working
>>>>> fine,
>>>>> is one more secure than the other?
>>>>>      
>>>>>        
>>>>>          
>>>>     $_COOKIE data is written to a file that is readable/writeable and
>>>> stored on the user's side of things.  $_SESSION data is written to the
>>>> server, with a cookie stored on the user's side containing just the
>>>> PHPSESSID (session ID) string to identify the session file on the
>>>> server.
>>>>
>>>>     So determining which is better and/or more secure is really a
>>>> matter of the data held there and how it's handled.  If storing things
>>>> like usernames or you absolutely want to store personal data in an
>>>> active session, do so in $_SESSION.  If you're storing a password or
>>>> credit card number in the active session, you may as well do it in
>>>> $_COOKIE, because you're already using an insecure model.  ;-P
>>>>
>>>> --
>>>> </Daniel P. Brown>
>>>> daniel.brown@... || danbrown@...
>>>> http://www.parasane.net/ || http://www.pilotpig.net/
>>>> Check out our great hosting and dedicated server deals at
>>>> http://twitter.com/pilotpig
>>>>
>>>> --
>>>> PHP General Mailing List (http://www.php.net/)
>>>> To unsubscribe, visit: http://www.php.net/unsub.php
>>>>
>>>>
>>>>    
>>>>      
>>>>        
>>> Well I'm a newbie when it comes to PHP and programming. I guess I need to
>>> read up on login security. Do you know of, or recommend, any websites that
>>> will show me how to secure my login model (Using cookies or sessions).
>>>
>>>  
>>>    
>>>      
>> Hi Jason,
>> I'm probably not any wiser than you, but I have just (today) discovered
>> an interesting site that seems to have some really clear explanations
>> and tutorials re php, MySsql et al.
>> It's worth looking at (I'm trying to implement something like what you
>> are, as well):
>> http://www.brainbell.com/tutors/php/php_mysql/Authorizing_User_Access.html
>> HTH,
>> PJ
>>
>>  
>>    
> I just found another site which is easier to deal with (chapter
> references) and seems to be the original source of the brainbell site:
> http://home.bolink.org/ebooks/webP/webdb/index.htm
>
>  

> The basic model for password authentication is to use one way crypt
> routines. MySql has several, PHP also has them. The basic algorithm
> would be like this:
>
> 1) read the password from the form.
> 2) read the password from you datastore that matches the user name or
> session
> 3) encrypt the password on the form.
> 4) do a string comparison between the database data and the encrypted
> password from the form.

> Carl Furst wrote:
>
>>
>> <?
>> $salt = 'someglobalsaltstring'; # the salt should be the same salt used
>> when storing passwords to your database otherwise it won't work
>> $passwd = crypt($_GET['passwd'], $salt);
>
> I personally use the username and the salt.
> That way two users with identical passwords have different hashes.
>
> With large databases, many users will have the same password, there
> are some that are just commonly used. The hackers know what they are,
> and if they get your hash dump, they try their list of commonly used
> passwords against the user names that have the common hashes.
>
> By using the username as part of the salt, you avoid that issue
> because identical passwords will have different hashes.
>
> It does mean the password has to be reset if you allow them to change
> their login name.
>
>

> These are great ideas.
>
> Another option would be to have the user choose a pin number and use
> either the literal pin or the encrypted pin as part of the salt. This
> way only when you change the pin do you need to change the password,
> which is probably what you would want anyway.
>
> Michael A. Peters wrote:
> > Carl Furst wrote:
> >> <?
> >> $salt = 'someglobalsaltstring'; # the salt should be the same salt used
> >> when storing passwords to your database otherwise it won't work
> >> $passwd = crypt($_GET['passwd'], $salt);
> >
> > I personally use the username and the salt.
> > That way two users with identical passwords have different hashes.
> >
> > With large databases, many users will have the same password, there
> > are some that are just commonly used. The hackers know what they are,
> > and if they get your hash dump, they try their list of commonly used
> > passwords against the user names that have the common hashes.
> >
> > By using the username as part of the salt, you avoid that issue
> > because identical passwords will have different hashes.
> >
> > It does mean the password has to be reset if you allow them to change
> > their login name.

> Carl Furst wrote:
>
>>
>> <?
>> $salt = 'someglobalsaltstring'; # the salt should be the same salt used
>> when storing passwords to your database otherwise it won't work
>> $passwd = crypt($_GET['passwd'], $salt);
>
> I personally use the username and the salt.
> That way two users with identical passwords have different hashes.
>
> With large databases, many users will have the same password, there are some
> that are just commonly used. The hackers know what they are, and if they get
> your hash dump, they try their list of commonly used passwords against the
> user names that have the common hashes.
>
> By using the username as part of the salt, you avoid that issue because
> identical passwords will have different hashes.
>
> It does mean the password has to be reset if you allow them to change their
> login name.
>

> On Tue, Jul 7, 2009 at 11:05 PM, Michael A. Peters<mpeters@...> wrote:
>> Carl Furst wrote:
>>
>>>
>>> <?
>>> $salt = 'someglobalsaltstring'; # the salt should be the same salt used
>>> when storing passwords to your database otherwise it won't work
>>> $passwd = crypt($_GET['passwd'], $salt);
>>
>> I personally use the username and the salt.
>> That way two users with identical passwords have different hashes.
>>
>> With large databases, many users will have the same password, there are some
>> that are just commonly used. The hackers know what they are, and if they get
>> your hash dump, they try their list of commonly used passwords against the
>> user names that have the common hashes.
>>
>> By using the username as part of the salt, you avoid that issue because
>> identical passwords will have different hashes.
>>
>> It does mean the password has to be reset if you allow them to change their
>> login name.
>>
>
> The password does not need to be reset. You could require that they
> provide the password again (even though they are already
> authenticated) on the same form with the new username. Then you can do
> the same encrypt/compare that you do for authentication, and if it
> matches you just update the username and the hash at the same time.
>
> Andrew
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
>