How secure is the implementation of user remembering?

T

Theory Theory2022-03-02 18:55:22

PHP

Theory Theory, 2022-03-02 18:55:22

I'm trying to implement a password remembering function in php. Suppose, when logging in, the server generates a token and sends it to the browser through cookies. Now, on subsequent visits, I compare the token from the cookie and from the database.
There is a small chance that the site will recognize some attacker as another user, because the attacker can change the token from the cookie as many times as he wants.

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

F

FanatPHP, 2022-03-02
@Narbek

The required parameter is called "cryptographic strength".
Most of the self-made solutions "from letters and numbers" do not have such durability .
Just as uuid v4 does not have it either.
At the moment, the recommended solution is to use the random_bytes() function. Next, the token is written to the database and to the user's cookies.
$token = bin2hex(random_bytes(24));

A

Anton Anton, 2022-03-02
@Fragster

well, it means you need to give not id but uuid v4 (this is an example, you can use any other random, the more the better), and store id in a table on the server side, and you can also make a separate binding to ip / useragent or the time of the last request (for example ip (or range) may change within a day or two, the useragent version will increase by 1, otherwise the session with this id is invalid)