As it stands, a cookie hijacker can steal the encrypted
pass out of the cookie and log into PHPMyAdmin
whenever he/she wants. It is also easy for him to be re-
assured that the user/pass is the right one (by the
I would suggest encrypting the username to make every
user that is logged into the network look the same. This
would also make it imposable to see if root or some other
targeted user is logged in at the time.
I would also like to propose a method where a hijacker
could only hijack the user/pass for a specified period of
time. (Lets say three hours... or let the user decide in
the config file.)
This will be accomplished by:
1. Specify a time variance between clicks. (Log out time
1. Send a cookie with the Date/Time & Variance
encrypted with the blowfish pass (BlowPass) in the
config file. Overwrite the Date/Time but NOT the
2. Create another pass by combining the Date/Time,
Variance & BlowPass. (md5... maybe) The variance is
optional and may only slightly slow a hacker.
3. Encrypt the User and Pass with the new
4. Send the encrypted User and Pass in a cookie.
1. Decrypt the Date/Time with BlowPass
2. If Date/Time out of variance, Log Out!
2. Use Date/Time and BlowPass to recreate
3. Unencrypt User/pass.
4. Check if authorized with MySQL.
5. Update Date/Time cookie with current Date/Time.
Wala. The encrypted pass sent to a users computer is
now time sensitive. If the time variance is out of range,
the encrypted pass cannot be used! This secures the
front-end (without sessions) as much as I can rap my
mind around today.
Sending the variance in the cookie is optional. It may
only add a small amount of security. The idea behind it is
that if the hacker has write permissions to the config
file, he could change the variance to be huge, allowing
him/her to use the time sensitive cookie for an extended
period of time. However if the user could write to the
config file, he could no doubt create a little program to
capture the user/pass when they were entered &
numerous other things.
I would be happy to make these modifications if you