Sometimes you don’t need Fort Knox. I recently worked on a tiny web app that didn’t store any secure data, but needed some sort of authentication so that saved data could be retrieved later or on a separate device. Sessions weren’t appropriate, and a full-blown authentication system would be overkill.

I decided to try a single-field authentication system, using only a passphrase. Again, security is not important. I just want to save some data and go back and get it later.Here’s how it works:

  1. When the user first hits the site, the server checks for the login cookie. If the cookie isn’t there, the user is redirected to the login screen.
  2. User enters a passphrase
  3. Server encrypts the passphrase, stores it in a cookie and passes the user on to the app.
  4. As data is read and written to the database, the app checks the cookie for the encrypted password, which doubles as the user’s unique identifier in the database.

What’s good about this system?

  • Usability. Less to remember.
  • Low overhead. There’s no user table in the database, and no actual user data is even written, until valid app data is entered.

What sucks?

  • No password recovery.
  • Choosing a unique password is very important. If you use something generic, you’re likely to run into someone else’s stuff. On the other hand, this could actually be great for collaboration.

Here’s how it works:

Here’s the login form:

<form action="index.php" method="post">
    <input id="passphrase" type="password" name="passphrase" />
    <input type="submit" name="submit" value="Start" />

After the form is submitted, I put the following at the top of the of processor page:

    if ( isset($_POST['passphrase']) ) {
        $pass = crypt($_POST['passphrase'],'$2a$10$'.'ECFdsd654Sdo6idwsfds');
        header('Location: '. $_SERVER['PHP_SELF']);

Here’s what it does:

  1. Take the submitted passphrase and encode it using the PHP crypt() function
  2. Write the encrypted value to a cookie with an expiration of one year (3600*24*30*365)
  3. Reload the page, so that the cookie can be read.