Jump to content
Larry Ullman's Book Forums

Recommended Posts

Hello,

I am a new user on these forums, forgive me if I'm in the wrong hood.

 

I am new to the idea of sessions/cookies, and I have implemented chapter 12's session based "login/logout" functions on my website.  I am curious what the best practice for implementing "remember-me" functionality entails.  I have seen several solutions on the internet, ranging in complexity and age (age of post).  I was curious if there's a specifically robust & secure method of implementing this that conforms with design patterns/good security.

Regards,

 

David

Link to comment
Share on other sites

The premise is pretty simple: if the user checks the "Remember Me" box you send an additional cookie with a longer expiration and a unique identifier. When the user returns, if the cookie still exists, the unique identifier can then be used to pull their username or email address from the database and prepopulate the form with it. 

In terms of security, just be sure that the cookie value isn't easily reverse-engineered. For example, storing the user's ID or email address or some similar unique identifier in plain text would be the worst possible thing. Storing a hashed version is slightly better, but still not great. Better yet would be to create a table that stores the random hash tied to the user's record (in the database). Then store this hash in the cookie. With each login, create a new hash (in the database and in the cookie). 

Link to comment
Share on other sites

Ah, okay. First, you definitely DO NOT store the hashed password in the cookie. The password may be the most important thing to protect, period, especially since users often re-use passwords (i.e., you wouldn't just be compromising their security at your site, you'd be compromising it at other sites potentially as well). 

"Keep me logged in" is just a matter of extending the session beyond its normal, short length. The specifics of how you do this depend upon how you manage sessions but the basic idea is:

1. Store the session ID in a cookie with a longer expiration. 

2. Store the session ID and session data in a database so the session can be recreated.

Note that the default PHP session behavior is for everything--cookies, data--to be deleted relatively quickly, so you can't just rely upon that for the extended session.  

Link to comment
Share on other sites

 Share

×
×
  • Create New...