Logins with remember me - sessions, cookies or both

[MargateSteve]

I am about to attempt to write my first php script from scratch after a year or so of copying and adapting code.

 

I am going to do a registration/login in system and thinking ahead, want to make sure that once someone is logged in, this information is passed from page to page (so they do not have to log in again on each page) and I would also like to provide a 'Remember Me' option.

 

I have had a read up and from what I gather, sessions would be better for showing someone is logged in from page to page and cookies would be the only way to implement a 'Remember Me'.

 

Would this be the best way to approach this or is/are there better ways?

 

Thanks in advance

Steve

[ZulfadlyAshBurn]

The first thing when the user says remember me, store the ip and browser agent info into the db and make a cookie which never expires. Sessions do expire. when the user open the page again, check if cookie store, if not stored, check database, if database are able to get the same info, the check user's password. if correct then allow entry.

[MargateSteve]

I didn't think about using the db to store data regarding the 'Remember Me' function. I assumed it would all be stored in cookies. Once I start on the login part if my script I will have a better look at that.

 

Would I be right to presume that is no standard 'best practice' for this and it would be down to whichever I get on with best?

[skwap]

store the ip and browser agent info into the db

almost users ip are dynamic. Then how ?

[ZulfadlyAshBurn]

yes, is true that almost all users ip are dynamic but, it doesnt change often. thus, it checks for cookies first, if there are cookies, then enter, if not check ip and browser agent with mysql, if its the same then enter. else go to login etc....

[voip03]

how long you can keep the cookies alive php

[xyph]

You can use either. I have designed custom session handlers that allow persistent sessions.

 

Regardless, I would avoid storing the username and password in a cookie, instead, like sessions, store a key that refers to that specific user.

 

If security is paramount, I suggest generating a new key with each request.

[MargateSteve]

yes, is true that almost all users ip are dynamic but, it doesnt change often. thus, it checks for cookies first, if there are cookies, then enter, if not check ip and browser agent with mysql, if its the same then enter. else go to login etc....

I can understand the logic behind that. If a user has deleted is cookies, there would still be a good chance that the user could still be automatically logged in via the details in the db.

[MargateSteve]

You can use either. I have designed custom session handlers that allow persistent sessions.

 

Regardless, I would avoid storing the username and password in a cookie, instead, like sessions, store a key that refers to that specific user.

 

If security is paramount, I suggest generating a new key with each request.

 

I think I understand what you are saying here. Upon logging in, a field in the db can be updated with a key, that key can also be placed in the cookie and the user/password can be selected from the database where the keys match?

 

If I have understood it, how would I get it to generate a unique key each time? Using rand would (although unlikely) run the risk of generating two or more identical keys.

[ZulfadlyAshBurn]

If I have understood it, how would I get it to generate a unique key each time? Using rand would (although unlikely) run the risk of generating two or more identical keys.

 

the risk of getting the identical key using rand() have a very low chance. nonetheless, you should be using md5() where it is impossible to be identical.