I have a function below which creates / inserts the customers autologin information
How ever I am not sure if the tokens and unique_tokens secure enough.
There is no personal information set in the cookie just tokens
Should I improve the tokens what would you suggest for tokens?
PHP Code:
public function
create_autologin
(
$customer_id
)
{
$size
=
mcrypt_get_iv_size
(
MCRYPT_CAST_256
,
MCRYPT_MODE_CFB
);
$msg
=
uniqid
(
rand
());
$key
=
$this
->
CI
->
config
->
item
(
'encryption_key'
);
$token
=
$this
->
CI
->
encrypt
->
encode
(
$msg
,
$key
);
$unique_token
=
bin2hex
(
mcrypt_create_iv
(
$size
,
MCRYPT_DEV_RANDOM
));
$data
= array(
'customer_id'
=>
$customer_id
,
'token'
=>
$token
,
'unique_token'
=>
$unique_token
,
'created'
=>
time
()
);
if (
$this
->
CI
->
db
->
insert
(
$this
->
CI
->
db
->
dbprefix
.
'customer_autologin'
,
$data
)) {
setcookie
(
'remember'
,
"
$token
:
$unique_token
"
,
$this
->
set_the_time_for_cookie_to_expire
,
'/'
,
'.localhost'
,
false
,
true
);
$session_data
= array(
'customer_id'
=>
$customer_id
,
'is_logged_in'
=>
true
);
$this
->
CI
->
session
->
set_userdata
(
$session_data
);
}
}
There's only one rule - please don't tell anyone to go and read the manual. Sometimes the manual just SUCKS!
This is how I do it there may be better ways not sure.
PHP Code:
/**
* guidV4 ()
* ------------------------------------------------------------------------
*
* generates a GUID with 36 characters including hyphens
*
* Usage: $tmp = self::guidV4();
*
* |-4 |- 8 9 a b
* Format: XXXXXXXXXXXX-XXXX-xXXX-yXXX-XXXXXXXXXXXX
*
* @return string
*/
public static function
guidV4
()
{
// this is for MS Windows Systems.
if (
function_exists
(
'com_create_guid'
) ===
true
)
{
return
trim
(
com_create_guid
(),
'{}'
);
}
$data
=
openssl_random_pseudo_bytes
(
16
);
$data
[
6
] =
chr
(
ord
(
$data
[
6
]) &
0x0f
|
0x40
);
// set version to 0100
$data
[
8
] =
chr
(
ord
(
$data
[
8
]) &
0x3f
|
0x80
);
// set bits 6-7 to 10
return
vsprintf
(
'%s%s-%s-%s-%s-%s%s%s'
,
str_split
(
bin2hex
(
$data
),
4
));
}
/**
* generateToken ()
* --------------------------------------------------------------------
*
* Generates an array with selector | validator then it will hash them
*
* USAGE: generateToken();
*
* @return array
*/
private function
generateToken
()
{
/**
* If you define a namespace, you can prefix it to the GUID
* Just un-remark the line below and rem the other line.
*/
//$tmp = Uuid_Namespace."-".self::guid_v4();
$tmp
=
self
::
guidV4
();
$tokenData
= array(
'selector'
=>
$tmp
,
'token'
=>
base64_encode
(
hash
(
'sha256'
,
$tmp
)),
);
return
$tokenData
;
}
What did you Try?
What did you Get?
W
hat did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
In the end, nothing is secure enough to prevent all attacks, if there someone exist.
If you login your user with a "Remember-Token", the token should be completely random (obviously 100% unique), nothing related to the user.
So the possible attacker has to trial and error thousands of random tokens to get access to an account, whats nearly impossible.
But in case the attacker has access to the machine of your user, in any way you want, a Trojan maybe, he can read out the cookie data
and no master-unhackable-super-token can prevent that the attacker is getting into this account.
(07-27-2016, 03:31 AM)
InsiteFX Wrote:
This is how I do it there may be better ways not sure.
PHP Code:
/**
* guidV4 ()
* ------------------------------------------------------------------------
*
* generates a GUID with 36 characters including hyphens
*
* Usage: $tmp = self::guidV4();
*
* |-4 |- 8 9 a b
* Format: XXXXXXXXXXXX-XXXX-xXXX-yXXX-XXXXXXXXXXXX
*
* @return string
*/
public static function
guidV4
()
{
// this is for MS Windows Systems.
if (
function_exists
(
'com_create_guid'
) ===
true
)
{
return
trim
(
com_create_guid
(),
'{}'
);
}
$data
=
openssl_random_pseudo_bytes
(
16
);
$data
[
6
] =
chr
(
ord
(
$data
[
6
]) &
0x0f
|
0x40
);
// set version to 0100
$data
[
8
] =
chr
(
ord
(
$data
[
8
]) &
0x3f
|
0x80
);
// set bits 6-7 to 10
return
vsprintf
(
'%s%s-%s-%s-%s-%s%s%s'
,
str_split
(
bin2hex
(
$data
),
4
));
}
/**
* generateToken ()
* --------------------------------------------------------------------
*
* Generates an array with selector | validator then it will hash them
*
* USAGE: generateToken();
*
* @return array
*/
private function
generateToken
()
{
/**
* If you define a namespace, you can prefix it to the GUID
* Just un-remark the line below and rem the other line.
*/
//$tmp = Uuid_Namespace."-".self::guid_v4();
$tmp
=
self
::
guidV4
();
$tokenData
= array(
'selector'
=>
$tmp
,
'token'
=>
base64_encode
(
hash
(
'sha256'
,
$tmp
)),
);
return
$tokenData
;
}
Thanks for the code with play around with it see how i go.
There's only one rule - please don't tell anyone to go and read the manual. Sometimes the manual just SUCKS!
