Page 1 of 2

Keep a user logged in. (cookies)

Posted: Sat Apr 10, 2004 12:12 pm
by hawleyjr
I am begining to brainstorm how I am going to use cookies so my user doesn't have to log in everytime they go to my site. I am curious to see what information other people tend to store when doing something similiar. (Username, name, dt, etc..)

Thanks, for any feedback.

-J

Posted: Sat Apr 10, 2004 7:54 pm
by tim
well what set-up do u have? do you store the data in a MySQL table?

all you need really is set a cookie for the username. Maybe even the password.

then something along the lines of:

Code: Select all

<?php
setcookie("member",$username, time() + 365 * 86400);

if (isset($username)) {
echo "hello $username, you are logged in, blah blah show page, whatever";
} else {
echo "You need to log-in";
}
?>
if in fact your using MySQL,

Code: Select all

<?php
$sql = "SELECT from user_table WHERE user='$username'";
mysql_query($sql);

// etc etc...
?>

Posted: Sat Apr 10, 2004 7:59 pm
by d3ad1ysp0rk
What happens when they open up their cookies and change the value to "Administrator"?

Posted: Sat Apr 10, 2004 8:00 pm
by Buddha443556
I wasn't sure from your question weather you mean information stored in the cookie or on the server? But here's my answer...

The only information I usually store in a cookie is a session id. Any other information such as username, name, dt, etc. is store on the server. The session id identifies the user and whatever other information you wish to associate with that user.

Posted: Sat Apr 10, 2004 8:01 pm
by tim
well i never would consider someone with that amount of times on their hands, but very easy to do I guess.

hence why u may need to store the password as well... (as I said) if u think your community would do such actions.

Code: Select all

<?php
setcookie("member",$username, time() + 365 * 86400);
setcookie("password",$password, time() + 365 * 86400);

$sql = "select * from users where user = '$username'";
$result = mysql_query($sql);
$row = mysql_fetch_array($result); 
$name= $row['name'];
$pass = $row['password'];

if ($username == $name && $password == $pass) {
// yippy
} else {
echo "nay";
}

// or you could implent sessions and store id's to be safe.
?>

Posted: Sat Apr 10, 2004 8:03 pm
by d3ad1ysp0rk
If you have sessions set to never expire from your server, buddha's way would probably work best.

Posted: Sat Apr 10, 2004 8:11 pm
by tim
Very sorry for the bad advice hawley.

I am glad better programmers like punk can catch my mistakes.

kudos punk for the keen eye, and the sessions would be better (as suggested)

Posted: Sat Apr 10, 2004 9:29 pm
by d3ad1ysp0rk
I wouldn't call myself a better program, you should look at some of my old code :P

I've just been involved in a conversation like this before :P

Posted: Sat Apr 10, 2004 9:36 pm
by hawleyjr
I am surprised to see the sessionID as the variable to store in the cookie.

Isn't that a huge security risk?

http://www.acros.si/papers/session_fixation.pdf

Posted: Sat Apr 10, 2004 9:45 pm
by Ixplodestuff8
LiLpunkSkateR wrote:I wouldn't call myself a better program, you should look at some of my old code :P

I've just been involved in a conversation like this before :P
I wouldn't call you a program at all, and if you were a program, your AI is sooo advanced that yes, it would be a better program ;)

Posted: Sat Apr 10, 2004 9:45 pm
by d3ad1ysp0rk
it's just as much of a risk as saving the password.

cookies in general are a security risk, the only risk of saving the sessionID is if someone hacks another for the sole purpose of getting their access privledges to a specific forum/area. in that case, they can either open the file and read whats it in, or just copy it into their cookies folder.
either way, they now have access, unless you use a more secure approach such as sessions, making the user login everytime.

Posted: Sat Apr 10, 2004 9:48 pm
by d3ad1ysp0rk
Ixplodestuff8 wrote:
LiLpunkSkateR wrote:I wouldn't call myself a better program, you should look at some of my old code :P

I've just been involved in a conversation like this before :P
I wouldn't call you a program at all, and if you were a program, your AI is sooo advanced that yes, it would be a better program ;)
If I were a program, I'd be the leetest program there ever was... *breaks out in song and dance from the wizard of Oz* :roll:

*Programmer. :P

Posted: Sat Apr 10, 2004 9:56 pm
by hawleyjr
Thanks everyone for their input.

I think the approach I'm going to take will be to store the session id in a cookie. I will allow the user to view content but as soon as they want to do something such as change a password, send a form email, etc. I will determine if they logged in or in through a cookie. If a cookie was used ask the user to supply their password.

Posted: Sat Apr 10, 2004 10:11 pm
by Buddha443556
hawleyjr wrote:I am surprised to see the sessionID as the variable to store in the cookie.

Isn't that a huge security risk?

http://www.acros.si/papers/session_fixation.pdf
Session fixation isn't a huge risk if you follow the recommendations in section 5 of the paper you mentioned. A long as you take the neccessary precautions, you can manage the risk of using sessions.

The trick to good security is making the other guy look like an easier target. :wink:

Posted: Sun Apr 11, 2004 12:38 am
by tim
LiLpunkSkateR wrote:it's just as much of a risk as saving the password.
how so? your running the value in the cookie against the value in the DB ( least in my example?) I mean, i'll give u the username script I first wrote.

If a user can guess your password n replace the value in the cookie, well it isnt the scripts fault, its the users. everyone chooses abcd or 1234 as their passwords, any brute program can crack that in a second.

i'm just a lil confused on that :?: