Jump to content

Recommended Posts

if not cookies then what do you suggest the best way to implement "remember me" feature?

 

You're looking at it the wrong way.  It's not that cookies shouldn't be used in a 'remember me' system, it's that a user's password shouldn't be stored in the cookie.

Ok.. I guess I asked it wrong way..I wanted to ask how to implement a feature where once users logs in and then closes the browser..Once he opens the browser again and teh website, "I want the user to be still logged in"... so its like till the user clicks logout button, user should be logged in...

 

I want this because for the website I am building, there will be only one user(my manager0.. and he doesnt want to login again n again...

You could have a cookie with a hash thats generated via a random number and another cookie with the username, (added during login with 'remember me' ticked) at the same time insert these values into a sql table along with user ID, when the user comes back you check to see if those cookies exists then get the userID from the database (VIA the random hash and username table) and assign the the sessions as you would during the login process,

 

the best the user can do is change his username or the random hash in the cookies but then the UserID won't be found in the sql table thus no login!

 

Thats a basic idea.. you could add other checks like browser etc but thats the basic idea

 

EDIT: added a little in red!

Or you could like use the built-in session functionality that takes care of doing things like generating a high entropy ID, storing all the info for you, etc. All you have to do is alter the cookie persistence using session_set_cookie_params.

 

Also see: http://www.phpfreaks.com/tutorial/sessions-and-cookies-adding-state-to-a-stateless-protocol

For an auto login if i was using cookies i would just store yes or no in the cookie, the at the top of each *.php page i would have,

 

<?php

if($_cookie['login'] == "no"){

header("location home.php");
}

 

But you would really use sessions for this, which are just virtual cookies so to speak.

 

 

and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.

 

Typos in my first post as well.

For an auto login i would just store yes or no in the cookie, the at the top of each *.php page i would have,

 

<?php

if($_cookie['login'] == "no"){

header("location home.php");
}

 

 

and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.

 

But then how do you know who the user is? Even so if you had the username I could edit my cookies to have your username and "yes" ;)

For an auto login i would just store yes or no in the cookie, the at the top of each *.php page i would have,

 

<?php

if($_cookie['login'] == "no"){

header("location home.php");
}

 

 

and btw these guys are very good coders after looking at their work, they make pretty complex sites, i will email them and ask as i go to the site a lot.

 

But then how do you know who the user is? Even so if you had the username I could edit my cookies to have your username and "yes" ;)

 

Well they login so you check their username in the db and if they check remember me then,

 

if($_POST['ischecked'] === true){

setcookie("login","yes");

}

 

or roughly that.  Yes i know you an edit the cookie,

 

javascript:document.cookie='login=yes';  

 

but it's better than actually putting the password in the cookie.

No it's not!

 

 

What's to keep me from setting the login flag on my cookie to yes and changing my username to something else?

 

 

Nothing.

 

Good point. Well i wouldn't use a cookie anyway, sessions, but you are right of course.

 

Sessions still use cookies....

It's not a huge concern that sessions use cookies.  It's much harder to hijack a session than it is to exploit a poorly designed 'Remember Me' feature.  In any case, the only ways I know of to hijack a session are:

1) Compromise the server's security

2) Listen to communication between client and server

3) Have a trojan or spyware installed on the client

 

#1 should be nigh impossible.

#2 can be avoided using SSL.

#3 should only compromise any users who happen to use that machine, and there's not much you can do about it as the owner of a web site.

You needn't store anything other than the user ID (or username if you prefer that). As for "remember me", you can, as previously mentioned, just set an expiration date on the session cookie. When someone requests a page with a valid session active you just get the user info based on the ID/username.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.