Remember Me

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Remember Me

Post by kaisellgren »

No password / username storing in cookies. But what if it's encrypted? No.

What you need is a strong session identifier. For instance, if your session identifier is pure random and is 256-bytes long, you have ~3*10^616 possibilities there. If you enabled TLS, your cookies are flagged as "secure" and are HTTP-only, then keeping the identifier alive for a year is not such a problem after all. In addition, tie the IP loosely to the session.

XSS? Doesn't bite if the user keeps himself up-to-date (HTTP-only in latest browsers).
MITM/Eavesdropping? Doesn't bite.
Session forging? Doesn't bite.

Even if someone gets in, does her IP differ? Likely -> doesn't get in.
Post Reply