Encrypt login and password in cookie to keep user logged in



  • What is the best alternative to encrypting data to use it in a cookie so that i can decrypt it later to validate the user data?

    Currently saved: Login - Password and IP in an array and then encrypt it with the function.

    is that safe?

    $user_log = array();
    $user_log[] = ['ip' => $user_ip, 'login' => $user, 'pass' => $pass, 'valid_example_key' => '36asd6123u129asdh']; //valid_example_key update every 3 minutes
    
    setcookie('user_log', encrypt(json_encode($user_log), 'red27156@xauxafrubraysusellhollws8xbygabandmyfriendsinthwlrd'), time() + (86400 * 90), '/', null, true, true);
    
    function encrypt($pure_string, $encryption_key) {
        $cipher     = 'AES-256-CBC';
        $options    = OPENSSL_RAW_DATA;
        $hash_algo  = 'sha256';
        $sha2len    = 32;
        $ivlen = openssl_cipher_iv_length($cipher);
        $iv = openssl_random_pseudo_bytes($ivlen);
        $ciphertext_raw = openssl_encrypt($pure_string, $cipher, $encryption_key, $options, $iv);
        $hmac = hash_hmac($hash_algo, $ciphertext_raw, $encryption_key, true);
        return base64_encode($iv.$hmac.$ciphertext_raw);
    }
    
    function decrypt($encrypted_string, $encryption_key) {
        $encrypted_string = base64_decode($encrypted_string);
        $cipher     = 'AES-256-CBC';
        $options    = OPENSSL_RAW_DATA;
        $hash_algo  = 'sha256';
        $sha2len    = 32;
        $ivlen = openssl_cipher_iv_length($cipher);
        $iv = substr($encrypted_string, 0, $ivlen);
        $hmac = substr($encrypted_string, $ivlen, $sha2len);
        $ciphertext_raw = substr($encrypted_string, $ivlen+$sha2len);
        $original_plaintext = openssl_decrypt($ciphertext_raw, $cipher, $encryption_key, $options, $iv);
        $calcmac = hash_hmac($hash_algo, $ciphertext_raw, $encryption_key, true);
        if(function_exists('hash_equals')) {
            if (hash_equals($hmac, $calcmac)) return $original_plaintext;
        } else {
            if ($this->hash_equals_custom($hmac, $calcmac)) return $original_plaintext;
        }
    }
    
    function hash_equals_custom($knownString, $userString) {
        if (function_exists('mb_strlen')) {
            $kLen = mb_strlen($knownString, '8bit');
            $uLen = mb_strlen($userString, '8bit');
        } else {
            $kLen = strlen($knownString);
            $uLen = strlen($userString);
        }
        if ($kLen !== $uLen) {
            return false;
        }
        $result = 0;
        for ($i = 0; $i < $kLen; $i++) {
            $result |= (ord($knownString[$i]) ^ ord($userString[$i]));
        }
        return 0 === $result;
    }
    

    valid_example_key checks whether the key is reported and the same that is in the database to try to prevent cookie theft

    • If the user misses the password 3 times, the script returns a captcha
    • The cookie updates every 3 minutes, and the old no work because the valid_example_key changes.
    • The cookie only changes if the user is on the site.


  • is that safe?

    No.

    For example, you seem to be using a very short encryption key named 'key' in your current scheme.

    Also, you are reusing the same key for integrity (hmac) as you used for encryption.

    Also, the fact that you are encrypting passwords at all is probably a bad idea.


Log in to reply
 

Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2