I create a PHP/MySQL application that will be used to log in to the user with a username and password, but I need the user login to the system to survive even turning off the browser or restarting the device.
For this reason, I cannot rely on PHP sessions.
Of course I can use browser Cookies, but I’m afraid of being stolen.
I tried to store the generated hash in the cookies and store the login information in the database. Unfortunately, here is a big problem with the potential theft of cookies.
I also tested this hash for security against the browser version and user IP address. Unfortunately, users of the app will mainly use mobile phones (the IP address will change frequently) and hash verification only against the browser version does not seem safe to me.
Is there any way to create a secure long-term login mechanism using HTML/PHP/MySQL/…?
Advertisement
Answer
You can think about the problem in abstract terms: You want to recognize a user based on some data. There are two ways you can do this:
- You can give some (secret) data to the user they can then show you later
- You can gather some data unique to the user
Cookies are an example of 1. – but it doesn’t really matter if you use cookies or some other thing like local storage in JavaScript. What you are doing is giving a value to the browser and storing it. All methods have the same risks: The value could be stolen in transit (when not using SSL) or they could be stolen in storage.
For approach 2. there are things like using the user’s IP address or other pieces of data they generate “accidentally”. These are however not reliable and you’re often doing a trade off or a combination of 1. and 2.
For example, you can set a cookie, but on the server side validate that the IP address is the same. This gives you a little bit of additional security, but the user can’t use the application on a phone now, since they’d get kicked off each time they switch WiFi / mobile networks.
If you wanted to have something even more secure, you could use an SSL client certificate stored on a HSM. But this is a tradeoff again, since it gets increasingly complex to set up and you have to distribute and manage hardware.
None of these methods help against a compromised client – ie. if the user has a trojan or other malicious software on their machine.