[solved] Best Practice to: Keep a user logged in
Posted: Tue Aug 22, 2006 12:52 pm
I'm sort of new to the world of PHP, so forgive my ignorance.
The server that I am using kills all idle sessions after a short time (20 minutes I think). But, it's the type of site that some people need to keep open all day and use speratically throughout the day. so...
I am wondering: what is the best practice for keeping a user logged into a site?
Since I'm on a shared server, I'm assuming that the only way to keep someone logged in (who may walk away from their computer for a few hours), is to use cookies. I have heard that it is bad practice to keep passwords stored in cookies. But, I cant save the username alone, because anyone could save a username into a cookie variable and get logged in as that user.
So, one thing that I thought of was to make a sort of "temporary password". I would add a columb to my user table named "temp_pw" and make the value something random like a timestamp. Then, save the user name and temporary password into a cookie when the user first logs in. Then, when my script that checks if a user is logged in or not comes accross the two cookies, it would check the db to see if the username/temp pw are a valid match. If there is a match, it would basically go through the proccess of logging in the user (loading up the session with the appropriate variables) and continue as if the user had never logged off.
I hope all that made sense. It sounds to me like it should work, but I'm not sure if it's the best practice. Or even if it is a practice at all...I just kind of made it up.
The server that I am using kills all idle sessions after a short time (20 minutes I think). But, it's the type of site that some people need to keep open all day and use speratically throughout the day. so...
I am wondering: what is the best practice for keeping a user logged into a site?
Since I'm on a shared server, I'm assuming that the only way to keep someone logged in (who may walk away from their computer for a few hours), is to use cookies. I have heard that it is bad practice to keep passwords stored in cookies. But, I cant save the username alone, because anyone could save a username into a cookie variable and get logged in as that user.
So, one thing that I thought of was to make a sort of "temporary password". I would add a columb to my user table named "temp_pw" and make the value something random like a timestamp. Then, save the user name and temporary password into a cookie when the user first logs in. Then, when my script that checks if a user is logged in or not comes accross the two cookies, it would check the db to see if the username/temp pw are a valid match. If there is a match, it would basically go through the proccess of logging in the user (loading up the session with the appropriate variables) and continue as if the user had never logged off.
I hope all that made sense. It sounds to me like it should work, but I'm not sure if it's the best practice. Or even if it is a practice at all...I just kind of made it up.