'Keep Me Logged In' -- Cookies and Sessions

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

'Keep Me Logged In' -- Cookies and Sessions

Post by tecktalkcm0391 »

How could I make a 'Keep me logged in' option? Just use cookies that store a username, and a 'encyrpted' password, or what?

What would be the most secure way
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

You can create a unique key and store that inside your database and cookie.. simple enough :wink: A simple precaution you could take is store their IP address when they logged in and check to see if it is the same one.. if not ignore they unique key. It is also very important if your going to be using a remember me system to ask for their actual password if you are performing any actions that could affect their account -- such as changing their password.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Besides the fact that AOL users sometimes have a different IP on each page request, if you want to keep users logged in accross internet connections, (assuming dialup, dsl, and cable modem users all receive new IP's everytime they reconnect or reboot) and you want to use more than just a cookie, the only other thing that I can think of that wouldn't change is the browser user agent.

I would at least make sure that it prompts for a password anyway before allowing any account information changes.
Post Reply