What is "hidden_key"

[Chairman Mao]

Hi.
I'm trying out phpUserLogin, and my question is: what does the var 'hidden_key' do?

Does the cryptographic strength of this package depend a lot on what you use for this var? If so, I'm a little worried since it's static and I don't have any guideline for the key length to use. Is it like a session key?

Also, has anyone had any experience using this package with other session handling scripts like PHP Secure Sessions?

Any info would be appreciated.
Thanks.

[Drakxter]

"hidden_key" is used in the cookies, to make them much more secure...

If there was no hidden_key then it would be easy to make fake cookies (untill the next version, where passwords will also be used in the cookies (but also encrypted in the hash cookie)), but by adding this "random key" the "hacker" needs to go to millions of differnt hash using differnt keys, and on each server he needs to do it again, becuase it uses a whole other key...

This little example might help..
md5() is a function in php that makes a special hash of fixed lenght out of the text you supplie to it.

When the cookies are made a username and a hash cookie are made.

The username cookie stores the users username, while the hash cookies stores a "hash" that is built up like this: md5(username+hidden_key)

Now when the user changes page, the script will check these cookies to see if they are legit, this is done by checking the cookie hash against a new hash, made with the cookie username.. So:

md5(cookie_username+hidden_key) = cookie_hash

If those two are the same, the cookies are valid...

Now what to set this key to... Well it could be:

1363klæjsdlgfh346213 or

6436lj3lsdafiu3 or

1354645yhnsdn bdlkj or even

094kkk34k4k4k4 or what about

heymynameisdrakxter

Hopes this clears things up a bit..

Ohh and lenght does not really matter, as long as its 1 char or longer... but I would personnally set it to something at least over 10 chars long.