"Remeber Me" ... best practices.
View Single Post
06-30-2008, 07:18 PM
Join Date: May 2008
Right. Unfortunately this information can be manipulated as well. IP addresses are out for me for the lovely ISP's that use reciprocating IP's (AOL).
How trustworthy are user agents?
Here is what I will do:
cookie ('account_id', '1');
cookie ('identifier'), 'dasf8a3hdshf98hw3');
account_id, identifier, user_agent
When first checking if the first two cookies exist, I will query against all three items for validity:
SELECT account_id from remember_me where account_id = (cookie:account_id) AND identifier = (cookie:identifier) AND user_agent = (browser:user_agent).
So, even if the user steals (highly unlikely) the account_id and identifier cookie, they will need the users specific user agent as well passed by the browser and no other place.
Sounds like a plan. Should a user disable the sending of their user agent, then it will simply validate as ''.
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.
View Public Profile
Send a private message to drewbee
Find More Posts by drewbee