Jump to content

WHy would you store a pasword in a cookie?

rv20

By rv20
in PHP Coding Help

 Share

Recommended Posts

KevinM1 Advanced Member

KevinM1

Posted
Posted

if not cookies then what do you suggest the best way to implement "remember me" feature?

 

You're looking at it the wrong way.  It's not that cookies shouldn't be used in a 'remember me' system, it's that a user's password shouldn't be stored in the cookie.

rohithreddyk Newbie

rohithreddyk

Posted
Posted

Ok.. I guess I asked it wrong way..I wanted to ask how to implement a feature where once users logs in and then closes the browser..Once he opens the browser again and teh website, "I want the user to be still logged in"... so its like till the user clicks logout button, user should be logged in...

 

I want this because for the website I am building, there will be only one user(my manager0.. and he doesnt want to login again n again...

MadTechie Regular Member

MadTechie

Posted
Posted

You could have a cookie with a hash thats generated via a random number and another cookie with the username, (added during login with 'remember me' ticked) at the same time insert these values into a sql table along with user ID, when the user comes back you check to see if those cookies exists then get the userID from the database (VIA the random hash and username table) and assign the the sessions as you would during the login process,

 

the best the user can do is change his username or the random hash in the cookies but then the UserID won't be found in the sql table thus no login!

 

Thats a basic idea.. you could add other checks like browser etc but thats the basic idea

 

EDIT: added a little in red!

Daniel0 Advanced Member

Daniel0

Posted
Posted

Or you could like use the built-in session functionality that takes care of doing things like generating a high entropy ID, storing all the info for you, etc. All you have to do is alter the cookie persistence using session_set_cookie_params.

 

Also see: http://www.phpfreaks.com/tutorial/sessions-and-cookies-adding-state-to-a-stateless-protocol

rv20 Member

rv20

Posted
  • Author
Posted

For an auto login if i was using cookies i would just store yes or no in the cookie, the at the top of each *.php page i would have,

 

<?php

if($_cookie['login'] == "no"){

header("location home.php");
}

 

But you would really use sessions for this, which are just virtual cookies so to speak.

 

 

and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.

 

Typos in my first post as well.

Philip Advanced Member

Philip

Posted
Posted

For an auto login i would just store yes or no in the cookie, the at the top of each *.php page i would have,

 

<?php

if($_cookie['login'] == "no"){

header("location home.php");
}

 

 

and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.

 

But then how do you know who the user is? Even so if you had the username I could edit my cookies to have your username and "yes" ;)

rv20 Member

rv20

Posted
  • Author
Posted

For an auto login i would just store yes or no in the cookie, the at the top of each *.php page i would have,

 

<?php

if($_cookie['login'] == "no"){

header("location home.php");
}

 

 

and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.

 

But then how do you know who the user is? Even so if you had the username I could edit my cookies to have your username and "yes" ;)

 

Well they login so you check their username in the db and if they check remember me then,

 

if($_POST['ischecked'] === true){

setcookie("login","yes");

}

 

or roughly that.  Yes i know you an edit the cookie,

 

javascript:document.cookie='login=yes'; 

 

but it's better than actually putting the password in the cookie.

KevinM1 Advanced Member

KevinM1

Posted
Posted

No it's not!

 

 

What's to keep me from setting the login flag on my cookie to yes and changing my username to something else?

 

 

Nothing.

 

Good point. Well i wouldn't use a cookie anyway, sessions, but you are right of course.

 

Sessions still use cookies....

roopurt18 Advanced Member

roopurt18

Posted
Posted

It's not a huge concern that sessions use cookies.  It's much harder to hijack a session than it is to exploit a poorly designed 'Remember Me' feature.  In any case, the only ways I know of to hijack a session are:

1) Compromise the server's security

2) Listen to communication between client and server

3) Have a trojan or spyware installed on the client

 

#1 should be nigh impossible.

#2 can be avoided using SSL.

#3 should only compromise any users who happen to use that machine, and there's not much you can do about it as the owner of a web site.

Daniel0 Advanced Member

Daniel0

Posted
Posted

You needn't store anything other than the user ID (or username if you prefer that). As for "remember me", you can, as previously mentioned, just set an expiration date on the session cookie. When someone requests a page with a valid session active you just get the user info based on the ID/username.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.