Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder sonny's Avatar
    Join Date
    Apr 2008
    Location
    United States
    Posts
    567
    Thanks
    88
    Thanked 0 Times in 0 Posts

    form cookie option

    Hi

    I would like to offer a cookie option on a login form to stay
    logged in when they come back, I currently just use a session
    after the validation. works fine but deletes when they close the
    browser.

    How would I offer a cookie option, should I pass a post value like
    cookie=1 etc and then do a if condition after validation based on
    that?.

    can someone give advice on the best method to do something like
    this?.

    Thanks
    Sonny

  • #2
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Location
    /dev/couch
    Posts
    398
    Thanks
    2
    Thanked 64 Times in 64 Posts
    i would prolly store hashed password in cookie and and then if that cookie exists and contains propper hash, i would log them in automatically.
    just give them option to do it and use some thing better than md5 (crypt should do the trick if you won't store salt in cookie)

    --edit--
    actually even if you would store just usename's hash without the salt and kept salt safe on server, that should be relatively safe. as long as client don't know salt, it's almost impossible to fake hash
    Last edited by patryk; 04-19-2013 at 02:08 AM.

    -------------------------------------------------------------------------------
    "Real Programmers can write assembly code in any language" - Larry Wall

  • #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,122
    Thanks
    2
    Thanked 327 Times in 319 Posts
    You would add a 'remember me' checkbox to your login form. At the point in your login code where the user has successfully logged in, you would test if your 'remember me' checkbox form field has been checked.

    You would then generate a unique token to store in the remember me cookie and also store this in your user table (you would need to add a column specifically to hold the token value.)

    You should not generate the value you store in the cookie from any of the user information because that value will be static for any user and if someone gets a hold of that value they will be able to use it to login until the original user value it is generated from is changed. Would you want to require your users to change their password or username or to regenerate a new salt string just to stop someone who has gotten a hold of someone else's 'remember me' cookie value?

    By generating a unique token, that is not a fixed value for any user, it can be regenerated at any time and you make it harder for the bad guys. Also, by generating it and storing it in a field in the database table, you can clear it in that table when someone logs out or to disable a value where it is know that the value has been gotten a hold of by someone else.

    You would change your 'page protection' logic so that if the 'logged in session' value is not set, you get the user's id using the 'remember me' cookie value and set the logged in session value the same as if the user had just successful logged in.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •