Webmaster Forum - View Single Post - Creating Log-In System

marc_gfx · 03-19-2008, 02:02 PM

username + encrypted password would be a solution yes. any way your gonna have cookies to autologin, you will be leaving a kind of security issue though. if you transmit the salt to the user, you make things a little worse. This makes it easier for anyone who gets the cookie + salt to decrypt the password (only way is brute force, test every possible password). if the salt is also unknown the testing will require checking much longer passwords and can be too much for your attackers computer to decrypt in a useful time.

you should store your users password in some kind of encrypted form in the database (so no one, not even you, can easily decrypt it). you can then compare cookies user + encrypted password to the information in your database.

03-19-2008, 02:02 PM	#10 (permalink)
marc_gfx Contributing Member Join Date: 07-01-06 Posts: 133 iTrader: 0 / 0% Latest Blog: None	username + encrypted password would be a solution yes. any way your gonna have cookies to autologin, you will be leaving a kind of security issue though. if you transmit the salt to the user, you make things a little worse. This makes it easier for anyone who gets the cookie + salt to decrypt the password (only way is brute force, test every possible password). if the salt is also unknown the testing will require checking much longer passwords and can be too much for your attackers computer to decrypt in a useful time. you should store your users password in some kind of encrypted form in the database (so no one, not even you, can easily decrypt it). you can then compare cookies user + encrypted password to the information in your database. __________________ Test your geography knowledge on MapBattle.com! You can also make your own map challenges ;) Get your real-life teams organized! Onlito.com, Online Team Organisation (Free & Beta)