Keep a user logged in. (cookies)
Moderator: General Moderators
Keep a user logged in. (cookies)
I am begining to brainstorm how I am going to use cookies so my user doesn't have to log in everytime they go to my site. I am curious to see what information other people tend to store when doing something similiar. (Username, name, dt, etc..)
Thanks, for any feedback.
-J
Thanks, for any feedback.
-J
well what set-up do u have? do you store the data in a MySQL table?
all you need really is set a cookie for the username. Maybe even the password.
then something along the lines of:
if in fact your using MySQL,
all you need really is set a cookie for the username. Maybe even the password.
then something along the lines of:
Code: Select all
<?php
setcookie("member",$username, time() + 365 * 86400);
if (isset($username)) {
echo "hello $username, you are logged in, blah blah show page, whatever";
} else {
echo "You need to log-in";
}
?>Code: Select all
<?php
$sql = "SELECT from user_table WHERE user='$username'";
mysql_query($sql);
// etc etc...
?>-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
- Buddha443556
- Forum Regular
- Posts: 873
- Joined: Fri Mar 19, 2004 1:51 pm
I wasn't sure from your question weather you mean information stored in the cookie or on the server? But here's my answer...
The only information I usually store in a cookie is a session id. Any other information such as username, name, dt, etc. is store on the server. The session id identifies the user and whatever other information you wish to associate with that user.
The only information I usually store in a cookie is a session id. Any other information such as username, name, dt, etc. is store on the server. The session id identifies the user and whatever other information you wish to associate with that user.
well i never would consider someone with that amount of times on their hands, but very easy to do I guess.
hence why u may need to store the password as well... (as I said) if u think your community would do such actions.
hence why u may need to store the password as well... (as I said) if u think your community would do such actions.
Code: Select all
<?php
setcookie("member",$username, time() + 365 * 86400);
setcookie("password",$password, time() + 365 * 86400);
$sql = "select * from users where user = '$username'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result);
$name= $row['name'];
$pass = $row['password'];
if ($username == $name && $password == $pass) {
// yippy
} else {
echo "nay";
}
// or you could implent sessions and store id's to be safe.
?>
Last edited by tim on Sat Apr 10, 2004 8:06 pm, edited 1 time in total.
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
I am surprised to see the sessionID as the variable to store in the cookie.
Isn't that a huge security risk?
http://www.acros.si/papers/session_fixation.pdf
Isn't that a huge security risk?
http://www.acros.si/papers/session_fixation.pdf
- Ixplodestuff8
- Forum Commoner
- Posts: 60
- Joined: Mon Feb 09, 2004 8:17 pm
- Location: Queens, New York
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
it's just as much of a risk as saving the password.
cookies in general are a security risk, the only risk of saving the sessionID is if someone hacks another for the sole purpose of getting their access privledges to a specific forum/area. in that case, they can either open the file and read whats it in, or just copy it into their cookies folder.
either way, they now have access, unless you use a more secure approach such as sessions, making the user login everytime.
cookies in general are a security risk, the only risk of saving the sessionID is if someone hacks another for the sole purpose of getting their access privledges to a specific forum/area. in that case, they can either open the file and read whats it in, or just copy it into their cookies folder.
either way, they now have access, unless you use a more secure approach such as sessions, making the user login everytime.
-
d3ad1ysp0rk
- Forum Donator
- Posts: 1661
- Joined: Mon Oct 20, 2003 8:31 pm
- Location: Maine, USA
If I were a program, I'd be the leetest program there ever was... *breaks out in song and dance from the wizard of Oz*Ixplodestuff8 wrote:I wouldn't call you a program at all, and if you were a program, your AI is sooo advanced that yes, it would be a better programLiLpunkSkateR wrote:I wouldn't call myself a better program, you should look at some of my old code
I've just been involved in a conversation like this before
*Programmer.
Thanks everyone for their input.
I think the approach I'm going to take will be to store the session id in a cookie. I will allow the user to view content but as soon as they want to do something such as change a password, send a form email, etc. I will determine if they logged in or in through a cookie. If a cookie was used ask the user to supply their password.
I think the approach I'm going to take will be to store the session id in a cookie. I will allow the user to view content but as soon as they want to do something such as change a password, send a form email, etc. I will determine if they logged in or in through a cookie. If a cookie was used ask the user to supply their password.
- Buddha443556
- Forum Regular
- Posts: 873
- Joined: Fri Mar 19, 2004 1:51 pm
Session fixation isn't a huge risk if you follow the recommendations in section 5 of the paper you mentioned. A long as you take the neccessary precautions, you can manage the risk of using sessions.hawleyjr wrote:I am surprised to see the sessionID as the variable to store in the cookie.
Isn't that a huge security risk?
http://www.acros.si/papers/session_fixation.pdf
The trick to good security is making the other guy look like an easier target.
how so? your running the value in the cookie against the value in the DB ( least in my example?) I mean, i'll give u the username script I first wrote.LiLpunkSkateR wrote:it's just as much of a risk as saving the password.
If a user can guess your password n replace the value in the cookie, well it isnt the scripts fault, its the users. everyone chooses abcd or 1234 as their passwords, any brute program can crack that in a second.
i'm just a lil confused on that