form cookie option
I would like to offer a cookie option on a login form to stay
logged in when they come back, I currently just use a session
after the validation. works fine but deletes when they close the
How would I offer a cookie option, should I pass a post value like
cookie=1 etc and then do a if condition after validation based on
can someone give advice on the best method to do something like
i would prolly store hashed password in cookie and and then if that cookie exists and contains propper hash, i would log them in automatically.
just give them option to do it and use some thing better than md5 (crypt should do the trick if you won't store salt in cookie)
actually even if you would store just usename's hash without the salt and kept salt safe on server, that should be relatively safe. as long as client don't know salt, it's almost impossible to fake hash
You would add a 'remember me' checkbox to your login form. At the point in your login code where the user has successfully logged in, you would test if your 'remember me' checkbox form field has been checked.
You would then generate a unique token to store in the remember me cookie and also store this in your user table (you would need to add a column specifically to hold the token value.)
You should not generate the value you store in the cookie from any of the user information because that value will be static for any user and if someone gets a hold of that value they will be able to use it to login until the original user value it is generated from is changed. Would you want to require your users to change their password or username or to regenerate a new salt string just to stop someone who has gotten a hold of someone else's 'remember me' cookie value?
By generating a unique token, that is not a fixed value for any user, it can be regenerated at any time and you make it harder for the bad guys. Also, by generating it and storing it in a field in the database table, you can clear it in that table when someone logs out or to disable a value where it is know that the value has been gotten a hold of by someone else.
You would change your 'page protection' logic so that if the 'logged in session' value is not set, you get the user's id using the 'remember me' cookie value and set the logged in session value the same as if the user had just successful logged in.