06-29-2008, 03:17 PM
|
#8 (permalink)
|
|
The Acquainted
Join Date: May 2008
Posts: 175
Thanks: 9
|
Quote:
Originally Posted by maZtah
I'm not at home now so I can't tell you exactly how I do it.
But I can say I'm doing it quite like this.
The only difference is that I'm also creating a $_SESSION with the user_id and user_name, so that I don't have to check the cookies everytime.
I will post the script later.
|
I dont have to check the cookies everytime. It will only check the cookies if the user isn't logged in.
Quote:
Originally Posted by maZtah
There is no need for two cookies. You can make a new db table with login data. With a random key field, and a user_id field. If you read the random key from the cookie, you can match the user_id.
|
I think in this case it is extremely critical that there are at least two references to check against. If I only needed to check against the identifier, a malicious user could randomly generate the identifier and hope to score any random account to log into. With two references, he will need to be trying to log into any one specific account, thus reducing the chances of finding his way automatically logged in from 'number of remember me' users to 'remember me user with account id = ###'
Quote:
Originally Posted by xenon
I would go with CMellor's suggestion only because I've used that method and it works wonderfully. I'd also store the session ID into a cookie, and when coming back, I'd also check the user agent, and ask for the security question if any of the above changed. But that's me. :D
|
My only issue is that I regenerate session_id after each login, and a users session_id is destroyed after timeout. However, a third table and three cookies is another option to yet even more greatly re-enforce security.
Thanks for the ideas and thoughts, keep them coming!
__________________
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.
|
|
|