Jump to content

Best way to remember me

jrws

By jrws
in PHP Coding Help

 Share

Recommended Posts

jrws Member

jrws

Posted
Posted

Hey guys,

Not so much a problem as just a question. At the moment I am using a remember me function that includes grabbing the password. However I am concerned about crackers, even though I am using md5. So I was wondering whats the best way to use a remember function.

At the moment here's what happens

User logins

If user successfully logins and does not select remember me, store information as sessions otherwise as cookies. Checks cookie data against database to prevent hacking. If it doesn't exist logouts user, otherwise creates a session with the information.

 

So that's it so far, what can I do to make it more secure? Or do you think it is enough?

Link to comment
Share on other sites
Zane Prolific Member

Zane

Posted
Posted

you should never have to store a password in a cookie or even a session.

 

The password should go straight to MD5() and then to a database to stay.

 

You could store the username or user ID in a cookie along with the remember me variable which should just be a boolean.  Most always the variable should be true no matter what (because no one is going to need a cookie to not be "remembered.")

 

You'd also need a new field in your user table...signifying if they're still logged in or not.  I would make this field a varchar to keep a copy of the session id from whence they clicked "remember me".

 

You might also want a table for your session logs...(if you don't prefer sending them to an apache log file).  In the session log, you should have a session id and a user id for every session....and maybe a field for "logged in" (boolean).

 

Then when you are displaying your login table.  Add conditions to check

-if the cookie is expired or not

-grab the session id and user id from the cookie

-search the sessions table for that session id ...for a match

-compare the user id in that resulting row with the cookie's user id

-check the same session table to see if they are "logged in" still.

-consider them logged in

-un "login" the old session

-edit the cookie accordingly

-do it all over again.

 

I think that's the jist of it....I may have left out a detail or two, but that's my idea of it all.

Someone will probably cut me up on security issues soon enough anyway, so there's definitely more to it.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.