I am sure most of you have ran across a time when either a customer or yourself wanted to have to login only once, and by using a 'remeber me' feature keep the user logged in for x amount of time even after closing the browser window and coming back. How do you guys usually handle this?
This is the way I handle it. What are your thoughts on this?
I have a database table of session_remember_me containing two columns account_id, unique_identifier, unique_salt.
If a person clicks on 'remember me' when logging in, the following happens:
1. generate 64 bit identifier
2. does identifier already exist?
a: yes -- return to step 1
b: no -- go to step 3
3. create cookie identifier with 64 bit code / create cookie account_id with account_id
4. insert into table user account_id, identifier
*all browser stuff closed, user returns*
5. does identifier & account_id cookie exist?
a: yes -- go to step 6
b: no -- exit
6. select account_id from session_remember_me where identifier & account_id
7. account_id returned?
a: yes -- go to step 8
b: no -- exit
8. run through login routine (includes updating accounts table with last_login, as well as executing session_regenerate_id();
9. Execute Steps 1-4 (regenterate identifier, check for existance, and update row & cookie with new identifier)
Also, only users can use the 'remember me' feature. If an admin account logs in, it ignores that particular section of code.
Thoughts and suggestions on this? The one weakspot that I know of that I can see is if a malicious user gained the value of the persons account_id and identifier (both in cookies) and set there own cookies with those values.
__________________ There are No Stupid Questions. But there a LOT of Inquisitive Idiots.