MyBB Community Forums

MyBB Community Forums > Community > General Discussion > How should i craft my login system?
Full Version: How should i craft my login system?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

dikidera

2011-09-15, 05:15 PM
How i'd usually do it, is store the password hash in a cookie and the user id.

I guess it's a bit like MyBB's but i've been told this is not very secure and that i should just make a token and tie it to a user's IP address so the only way to steal a session is to spoof the connection.

Thoughts and examples?

P.S
After spending a lot of time with Bitcoin i've transitioned from MD5 to SHA512 hashing. SHA256 would suffice, but yeah..a lot of crunchers out there.

Euan T

2011-09-15, 05:50 PM
Storing the password in a cookie? Really? I personally use a sessions system similar to the one MyBB uses. I store the user's ID in a cookie along with a session code (random string then used to perform logouts etc).

I really wouldn't store passwords in cookies though, even if they are hashed.

dikidera

2011-09-16, 01:49 AM
Any examples out there of how to implement a login system that does not contain the password hash in the cookie?

Also i strongly suggest mybb to move away from the insecure triple md5 hashing to the much securer sha256 or above.

Nathan Malcolm

2011-09-16, 01:55 AM
I use my own encryption class. Even if they managed to get the database, they wouldn't be able to decrypt any of the passwords unless they had a custom made set of rainbow tables.

++SCIKOZUVZO36HZU6CPHRXV1YMIRICANZPI2FSZOS406376628
MyBB Community Forums > Community > General Discussion > How should i craft my login system?