Hi everyone,

I am sure most of you have ran across a time when either a customer or yourself wanted to have to login only once, and by using a 'remeber me' feature keep the user logged in for x amount of time even after closing the browser window and coming back. How do you guys usually handle this?

This is the way I handle it. What are your thoughts on this?


I have a database table of session_remember_me containing two columns account_id, unique_identifier, unique_salt.

If a person clicks on 'remember me' when logging in, the following happens:

1. generate 64 bit identifier
2. does identifier already exist?
a: yes -- return to step 1
b: no -- go to step 3
3. create cookie identifier with 64 bit code / create cookie account_id with account_id
4. insert into table user account_id, identifier

*all browser stuff closed, user returns*
5. does identifier & account_id cookie exist?
a: yes -- go to step 6
b: no -- exit
6. select account_id from session_remember_me where identifier & account_id
7. account_id returned?
a: yes -- go to step 8
b: no -- exit
8. run through login routine (includes updating accounts table with last_login, as well as executing session_regenerate_id();
9. Execute Steps 1-4 (regenterate identifier, check for existance, and update row & cookie with new identifier)


Also, only users can use the 'remember me' feature. If an admin account logs in, it ignores that particular section of code.

Thoughts and suggestions on this? The one weakspot that I know of that I can see is if a malicious user gained the value of the persons account_id and identifier (both in cookies) and set there own cookies with those values.

__________________
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.

I've done something similar to that in a system I wrote once. The only problem I had was that if a user uses "remember me" on multiple computers, the identifier can't change because then they'll be forgotten on other computers.

True. I guess I could store multiple identifiers per account that can be used to re-login for x amount of days, each identifier unique to each computer that said user may use as well. Since the table only contains two columns, it would not be that big of a deal.

On the downside, a malicious user now has nth more possibilities of getting a specific users unique identifier, depending on how many computers that user used 'remember me' on.

__________________
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.

I'm not at home now so I can't tell you exactly how I do it.
But I can say I'm doing it quite like this.

The only difference is that I'm also creating a $_SESSION with the user_id and user_name, so that I don't have to check the cookies everytime.

I will post the script later.

I dont have to check the cookies everytime. It will only check the cookies if the user isn't logged in.


I think in this case it is extremely critical that there are at least two references to check against. If I only needed to check against the identifier, a malicious user could randomly generate the identifier and hope to score any random account to log into. With two references, he will need to be trying to log into any one specific account, thus reducing the chances of finding his way automatically logged in from 'number of remember me' users to 'remember me user with account id = ###'

My only issue is that I regenerate session_id after each login, and a users session_id is destroyed after timeout. However, a third table and three cookies is another option to yet even more greatly re-enforce security.


Thanks for the ideas and thoughts, keep them coming!

__________________
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.

Whatever method you choose make sure it's not possible to hijack cookies and use that information to log in as a user. You can avoid this by checking user agents (like xenon said), IP addresses and other things that would be unique for a user.

__________________
Eric

If I remember correctly...

I had two cookies, one with the user ID and one with a random generated number that was stored in my 'members' table in the DB. My if_loggedin() function would check if a cookie exists and the cookie random value matched the one in the DB where it was the same ID as the cookie ID.

__________________
Not quite a n00b...

There is no need for two cookies. You can make a new db table with login data. With a random key field, and a user_id field. If you read the random key from the cookie, you can match the user_id.

I would go with CMellor's suggestion only because I've used that method and it works wonderfully. I'd also store the session ID into a cookie, and when coming back, I'd also check the user agent, and ask for the security question if any of the above changed. But that's me. :D

__________________

Right. Unfortunately this information can be manipulated as well. IP addresses are out for me for the lovely ISP's that use reciprocating IP's (AOL).

How trustworthy are user agents?

Here is what I will do:

cookie ('account_id', '1');
cookie ('identifier'), 'dasf8a3hdshf98hw3');

database:
account_id, identifier, user_agent

When first checking if the first two cookies exist, I will query against all three items for validity:

SELECT account_id from remember_me where account_id = (cookie:account_id) AND identifier = (cookie:identifier) AND user_agent = (browser:user_agent).

So, even if the user steals (highly unlikely) the account_id and identifier cookie, they will need the users specific user agent as well passed by the browser and no other place.

Sounds like a plan. Should a user disable the sending of their user agent, then it will simply validate as ''.

__________________
There are No Stupid Questions. But there a LOT of Inquisitive Idiots.

The user agent seems like a pretty solid solution, for fun, why not hash it?

I offer my users a Global Logout, where it updates the unique identifier in the database, making all of the old identifiers no longer valid. Some users like that.

this just popped in my head as i read the title
i havent read the post because it's kinda long so if someone has said this than im sorry.

this isnt probably the best way to do this for several reasons but its just a start to making something

make a database table that has the rows: ip, key and time
when the user logs in and checks remember me itll log their ip into the database while generating a key and a set time; by using the php time function you can do some math and add time to it for how long they want to stay logged in
when they come back it checks their ip ($_SERVER['REMOTE_ADDR']) against the database and just sets a session to exist..and also if the row, time, is less than the php time function then their remember me is no good anymore and must login again

but that poses a problem of several users across the same ip, like siblings. maybe make a cookie with the username

oh just forget it, its useless and wasteful
except it could have potential to keep the files stored on a users computer to a minimum

im forgetting what im wanting to say as im typing but if i remember than ill add it .. but theres problems i know of

...
just a thought