0

I create a PHP/MySQL application that will be used to log in to the user with a username and password, but I need the user login to the system to survive even turning off the browser or restarting the device.

For this reason, I cannot rely on PHP sessions.

Of course I can use browser Cookies, but I'm afraid of being stolen.

I tried to store the generated hash in the cookies and store the login information in the database. Unfortunately, here is a big problem with the potential theft of cookies.

I also tested this hash for security against the browser version and user IP address. Unfortunately, users of the app will mainly use mobile phones (the IP address will change frequently) and hash verification only against the browser version does not seem safe to me.

Is there any way to create a secure long-term login mechanism using HTML/PHP/MySQL/...?

Ondřej Douša
  • 73
  • 9
  • You can only use cookies for this purpose. Cookies can be stolen. Try to minimize the risk by using HTTPS. You can do additional validation like browser and IP addresses, but yes, that will limit the longevity of the token. You’ve pretty much got all the facts right, not a lot of magic around this. Only a sensible balance of what level of trust you invest in this token. E.g. before allowing the user to change their account password or such, require them to reauthenticate. – deceze Aug 10 '19 at 09:05
  • 1
    These links are useful : https://security.stackexchange.com/questions/35977/ https://stackoverflow.com/questions/307495/ https://stackoverflow.com/questions/49562828/ – GameO7er Aug 10 '19 at 09:25
  • 1
    Yes there's a way and that may be the one Laravel uses; Laravel encrypts cookies with a key (that you set when starting a project). In broad terms: Laravel sets a 'remember_web_*' (web or the desired guard name) cookie which has a value also stored in a column of the users database, if both values are equal, it authenticates the User. You can also set cookies to be only available for http access only and only accept cookies from a https connection. There's also options to only accept cookies from a certain domain or path. Set the cookie to have the desired lifespan of the session. – gerardnll Aug 10 '19 at 09:47

1 Answers1

3

You can think about the problem in abstract terms: You want to recognize a user based on some data. There are two ways you can do this:

  1. You can give some (secret) data to the user they can then show you later
  2. You can gather some data unique to the user

Cookies are an example of 1. - but it doesn't really matter if you use cookies or some other thing like local storage in JavaScript. What you are doing is giving a value to the browser and storing it. All methods have the same risks: The value could be stolen in transit (when not using SSL) or they could be stolen in storage.

For approach 2. there are things like using the user's IP address or other pieces of data they generate "accidentally". These are however not reliable and you're often doing a trade off or a combination of 1. and 2.

For example, you can set a cookie, but on the server side validate that the IP address is the same. This gives you a little bit of additional security, but the user can't use the application on a phone now, since they'd get kicked off each time they switch WiFi / mobile networks.

If you wanted to have something even more secure, you could use an SSL client certificate stored on a HSM. But this is a tradeoff again, since it gets increasingly complex to set up and you have to distribute and manage hardware.

None of these methods help against a compromised client - ie. if the user has a trojan or other malicious software on their machine.

mensi
  • 9,580
  • 2
  • 34
  • 43