"Remeber Me" ... best practices.
I am sure most of you have ran across a time when either a customer or yourself wanted to have to login only once, and by using a 'remeber me' feature keep the user logged in for x amount of time even after closing the browser window and coming back. How do you guys usually handle this?
This is the way I handle it. What are your thoughts on this?
I have a database table of session_remember_me containing two columns account_id, unique_identifier, unique_salt.
If a person clicks on 'remember me' when logging in, the following happens:
1. generate 64 bit identifier
2. does identifier already exist?
a: yes -- return to step 1
b: no -- go to step 3
3. create cookie identifier with 64 bit code / create cookie account_id with account_id
4. insert into table user account_id, identifier
*all browser stuff closed, user returns*
5. does identifier & account_id cookie exist?
a: yes -- go to step 6
b: no -- exit
6. select account_id from session_remember_me where identifier & account_id
7. account_id returned?
a: yes -- go to step 8
b: no -- exit
8. run through login routine (includes updating accounts table with last_login, as well as executing session_regenerate_id();
9. Execute Steps 1-4 (regenterate identifier, check for existance, and update row & cookie with new identifier)
Also, only users can use the 'remember me' feature. If an admin account logs in, it ignores that particular section of code.
Thoughts and suggestions on this? The one weakspot that I know of that I can see is if a malicious user gained the value of the persons account_id and identifier (both in cookies) and set there own cookies with those values.
I've done something similar to that in a system I wrote once. The only problem I had was that if a user uses "remember me" on multiple computers, the identifier can't change because then they'll be forgotten on other computers.
True. I guess I could store multiple identifiers per account that can be used to re-login for x amount of days, each identifier unique to each computer that said user may use as well. Since the table only contains two columns, it would not be that big of a deal.
On the downside, a malicious user now has nth more possibilities of getting a specific users unique identifier, depending on how many computers that user used 'remember me' on.
I'm not at home now so I can't tell you exactly how I do it.
But I can say I'm doing it quite like this.
The only difference is that I'm also creating a $_SESSION with the user_id and user_name, so that I don't have to check the cookies everytime.
I will post the script later.
If I remember correctly...
I had two cookies, one with the user ID and one with a random generated number that was stored in my 'members' table in the DB. My
There is no need for two cookies. You can make a new db table with login data. With a random key field, and a user_id field. If you read the random key from the cookie, you can match the user_id.
I would go with CMellor's suggestion only because I've used that method and it works wonderfully. I'd also store the session ID into a cookie, and when coming back, I'd also check the user agent, and ask for the security question if any of the above changed. But that's me. :D
Thanks for the ideas and thoughts, keep them coming!
Whatever method you choose make sure it's not possible to hijack cookies and use that information to log in as a user. You can avoid this by checking user agents (like xenon said), IP addresses and other things that would be unique for a user.
Right. Unfortunately this information can be manipulated as well. IP addresses are out for me for the lovely ISP's that use reciprocating IP's (AOL).
How trustworthy are user agents?
Here is what I will do:
cookie ('account_id', '1');
cookie ('identifier'), 'dasf8a3hdshf98hw3');
account_id, identifier, user_agent
When first checking if the first two cookies exist, I will query against all three items for validity:
SELECT account_id from remember_me where account_id = (cookie:account_id) AND identifier = (cookie:identifier) AND user_agent = (browser:user_agent).
So, even if the user steals (highly unlikely) the account_id and identifier cookie, they will need the users specific user agent as well passed by the browser and no other place.
Sounds like a plan. Should a user disable the sending of their user agent, then it will simply validate as ''.
I offer my users a Global Logout, where it updates the unique identifier in the database, making all of the old identifiers no longer valid. Some users like that.
this just popped in my head as i read the title
i havent read the post because it's kinda long so if someone has said this than im sorry.
this isnt probably the best way to do this for several reasons but its just a start to making something
make a database table that has the rows: ip, key and time
when the user logs in and checks remember me itll log their ip into the database while generating a key and a set time; by using the php time function you can do some math and add time to it for how long they want to stay logged in
when they come back it checks their ip ($_SERVER['REMOTE_ADDR']) against the database and just sets a session to exist..and also if the row, time, is less than the php time function then their remember me is no good anymore and must login again
but that poses a problem of several users across the same ip, like siblings. maybe make a cookie with the username
oh just forget it, its useless and wasteful
except it could have potential to keep the files stored on a users computer to a minimum
im forgetting what im wanting to say as im typing but if i remember than ill add it .. but theres problems i know of
just a thought
|All times are GMT. The time now is 06:51 AM.|
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.1.0