General Discussion

Print Page | Close Window

Usercode

Printed From: Web Wiz Forums
Category: General Discussion
Forum Name: General Discussion
Forum Description: General discussion and chat on any topic.
URL: https://forums.webwiz.net/forum_posts.asp?TID=13999
Printed Date: 01 April 2026 at 1:53pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: Usercode

Posted By: Gullanian
Subject: Usercode
Date Posted: 25 February 2005 at 6:53am

Trying to look at WWF login/registration system because it seems to be the best around. I've written one with passwords in md5 with salts, changing salts etc etc, but could someone explain the function of the usercode? Is it a constant value in the database for each user? Is that all that is needed in a cookie to tell that you are logged in?

Thanks

Replies:

Posted By: WebWiz-Bruce
Date Posted: 25 February 2005 at 7:22am

The usercode system was put in along time ago.

The reason was for security, as passwords never use to be encrypted so storing the username and/or password in a cookie to track a user could course a security problem, so instead a unquie usercode field was created to track logged in users, which is stored in the cookie.

For extra security the usercode is changed when users login, edit profiles, etc.

I did consider using the ASP session ID, but the problem then is that you wouldn't be able to use the auto-login feature and you would need to login each time you cam to the forum.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: Gullanian
Date Posted: 25 February 2005 at 8:16am

Isn't there still the problem of if someone managed to download the database, they could find someone that hasn't logged in for a day or so, and copy the usercode value into a cookie and thus be logged in? Or am I on the wrong lines?

If this is so, shouldn't the user have to re-enter their current password if they want to change their password for a bit mroe security?

Posted By: Gullanian
Date Posted: 25 February 2005 at 8:27am

Ah I see WWF does have confirm old password box, but does a problem still lie with copying the usercode into a cookie if you have access to a WWF database?