[php] phpass autologin?

Question

Hello! How are you supposed to create an autologin feature on your webpage using phpass as encryption of the passwords?

I mean, the way it checks the password is by giving the CheckPassword method the password in clear-text and a hashed string of that password (a previously stored hash that is). Then it returns true/false wheter its correct or not.

But if you wanna make a autologin feature on your webpage, you don't wanna store the password in clear-text in your cookie, but in hashed format. And how are you supposed to check those? Is there another method that I've missed, or does the CheckPassword accepts two hashed passwords instead of one in clear-text and on hashed?

Thank you in advance!

Answer 1

I think what you meant to say is that you store the password in encrypted form in the cookie. There is a difference between hashing and encryption.

However, this is not how you should implement autologin. It's a very bad idea to store a user's password in reversible form on their computer.

The correct way is to use a cookie to keep the user's session active. The cookie stores nothing but the user's random session ID. If the user already has an active session, bypass phpass entirely.