Professional Web Applications Themes

Best way to remember a logged in user - PHP Development

Hi All, What is the best way to use a cookie to remember a logged in user? Would you store the username and password in two separate cookies? Should the password be plain text? Hashed? Not there at all? Any feedback would be helpful. Thanks! -Josh...

  1. #1

    Default Best way to remember a logged in user

    Hi All,

    What is the best way to use a cookie to remember a logged in user? Would
    you store the username and password in two separate cookies? Should the
    password be plain text? Hashed? Not there at all?

    Any feedback would be helpful. Thanks!

    -Josh


    Joshua Beall Guest

  2. #2

    Default Re: Best way to remember a logged in user

    Cookie can be used, but is not a bestway. Users can inhibit it, or
    clean up cookies.

    I think you can save user:password in a plain CSV text file on your
    server or in SQL. The passwords should be crypted. See PHP manual
    for crypt().

    HTH.

    Duyet.

    "Joshua Beall" <jbealldonotspam.remove.me.heraldic.us> wrote in message
    news:AeNGb.26055$NZ1.22034nwrddc02.gnilink.net...
    > Hi All,
    >
    > What is the best way to use a cookie to remember a logged in user? Would
    > you store the username and password in two separate cookies? Should the
    > password be plain text? Hashed? Not there at all?
    >
    > Any feedback would be helpful. Thanks!
    >
    > -Josh
    >
    >

    Duyet The Vo Guest

  3. #3

    Default Re: Best way to remember a logged in user

    Joshua Beall wrote: 

    Usually, I find the best way is with sessions - that's what they were invented
    for. Upon logging in, set a variable like $_SESSION['username']. If they click
    a logout button or try to login unsuccessfully, unset it.

    In your scripts, just be sure to check if $_SESSION['username'] is set.

    Or, if you wanted to and you're using Apache, you could use htaccess/htpasswd.
    Then, in your scripts, just check $_SERVER['REMOTE_USER'] to get the user name.
    Though that does have some drawbacks if you have many users - it gets slow.
    Also, it uses the browser's default username/password box, which is ugly and
    doesn't allow you to interact with the user.

    You should never send anyone's password to a cookie. That info is stored on the
    person's hard drive and could be easily read.

    Regards,
    Shawn
    --
    Shawn Wilson
    com
    http://www.glassgiant.com
    Shawn Guest

  4. #4

    Default Re: Best way to remember a logged in user

    "Shawn Wilson" <com> wrote in message
    news:com... 
    invented 
    click 

    The problem with that is, once the session expires, the user is no longer
    logged in.

    I already have a complete authentication engine setup, using sessions, but I
    want to know what the best way to implement a "remember me" feature - so
    that when a user comes back to my site, it remembers who they are. Ebay,
    Yahoo, Amazon, etc., all implement this feature. How do they remember who I
    am? Surely they do not leave the session active for a user who has not
    visited in over a week, do they? It must be through a cookie then - but
    what information do they store?

    (goes off to hunt through cookies and examine what they send...)

    Hmm, for Amazon, they are storing my session id, something called "x-main",
    "ubid-main", and "session-id-time". The expiration date for all these
    cookies is March 15, 2004. Does Amazon then just not expire sessions for 6
    months? Does not this clog up the server's memory with lots of session
    data?

    I guess the solution for this would be to implement a custom session record
    handler, that serializes the data and stores it in a database or a file, so
    that after garbage collection happens, it can still be recovered from the
    database?

    I am looking through some cookies from an Invisionboard Forum site that I
    visit, and it looks like, in order to remember me, they store my user ID,
    and the md5 hash of my password. While this is pretty hard to translate
    back into a username/password, I suppose this is still a pretty big security
    risk, because all someone has to do in order to login as you is put copy
    those cookies on their machine, with those values?

    -jb


    Joshua Guest

  5. #5

    Default Re: Best way to remember a logged in user

    Joshua Beall wrote: 
    > invented 
    > click 
    >
    > The problem with that is, once the session expires, the user is no longer
    > logged in.
    >
    > I already have a complete authentication engine setup, using sessions, but I
    > want to know what the best way to implement a "remember me" feature - so
    > that when a user comes back to my site, it remembers who they are. Ebay,
    > Yahoo, Amazon, etc., all implement this feature. How do they remember who I
    > am? Surely they do not leave the session active for a user who has not
    > visited in over a week, do they? It must be through a cookie then - but
    > what information do they store?
    >
    > (goes off to hunt through cookies and examine what they send...)
    >
    > Hmm, for Amazon, they are storing my session id, something called "x-main",
    > "ubid-main", and "session-id-time". The expiration date for all these
    > cookies is March 15, 2004. Does Amazon then just not expire sessions for 6
    > months? Does not this clog up the server's memory with lots of session
    > data?
    >
    > I guess the solution for this would be to implement a custom session record
    > handler, that serializes the data and stores it in a database or a file, so
    > that after garbage collection happens, it can still be recovered from the
    > database?
    >
    > I am looking through some cookies from an Invisionboard Forum site that I
    > visit, and it looks like, in order to remember me, they store my user ID,
    > and the md5 hash of my password. While this is pretty hard to translate
    > back into a username/password, I suppose this is still a pretty big security
    > risk, because all someone has to do in order to login as you is put copy
    > those cookies on their machine, with those values?[/ref]

    Ah, I see. Any site that lets you stay logged in is a security risk, IMO. Now
    that you mention it, Hotmail does the same thing.

    If you just want to remember the login I guess it would be easy enough to set a
    cookie with the username and uniqid() (which would also have to be stored with
    the account info server-side). Then read the cookie and compare it to username,
    uniqid in the db. The uniqid should be changed periodically, to prevent
    someone's who has hacked it from using it for too long. Of course, if someone
    read the cookie they could easily copy it to their own computer and use the
    account until the uniqid was changed.

    If you wanted to remember a number of session variables as well, you could make
    a custom session handler, as you suggested.

    I really hate the idea of storing pw hashes in a cookie, as it's too easy to get
    the pw, assuming access to the computer (as in an office setting or public
    terminal) and bad passwords (dictionary passwords). I think that for any method
    discussed so far, you could just copy the cookie file onto your own computer to
    access the account. It's bad enough to have someone access your account - it's
    worse for them to learn your password.

    If you go with a solution that allows you to stay logged in over a long period
    of time, I would suggest making it optional (have a preference section where a
    user can decline to use that feature). It makes me nervous when sites do that
    and, being human, I often forget to logout before closing the browser =o)

    Regards,
    Shawn
    --
    Shawn Wilson
    com
    http://www.glassgiant.com
    Shawn Guest

  6. #6

    Default Re: Best way to remember a logged in user

    Without more specific information on the purposes of your particular
    application I would suggest to make use of php excellent session
    handling. Once verified a user, you can maintain this verified state
    throughout all subsequent page visits making use of a session.

    Get the details at http://es.php.net/manual/en/ref.session.php


    On Fri, 26 Dec 2003 02:42:40 GMT, "Joshua Beall"
    <remove.me.heraldic.us> wrote:
     

    Eagle

    (I very much appreciate your contributions.
    Please do not reply to my email-address since it is deactivated due to tons of Spam I received.
    Thanks a ton)
    Eagle Guest

  7. #7

    Default Re: Best way to remember a logged in user

    Without more specific information on the purposes of your particular
    application I would suggest to make use of php excellent session
    handling. Once verified a user, you can maintain this verified state
    throughout all subsequent page visits making use of a session.

    Get the details at [url]http://es.php.net/manual/en/ref.session.php[/url]


    On Fri, 26 Dec 2003 02:42:40 GMT, "Joshua Beall"
    <jbealldonotspam.remove.me.heraldic.us> wrote:
    >Hi All,
    >
    >What is the best way to use a cookie to remember a logged in user? Would
    >you store the username and password in two separate cookies? Should the
    >password be plain text? Hashed? Not there at all?
    >
    >Any feedback would be helpful. Thanks!
    >
    > -Josh
    >
    Eagle

    (I very much appreciate your contributions.
    Please do not reply to my email-address since it is deactivated due to tons of Spam I received.
    Thanks a ton)
    Eagle Guest

  8. #8

    Default Re: Best way to remember a logged in user

    "Shawn Wilson" <com> wrote in message > 
    to get 

    This problem is an obvious one that I have been thinking about and trying to
    figure out what the best way to deal with is, but here is another question:
    Is there any way for a site to harvest cookies remotely? I.e., is there any
    way for a something.com to look at mysite.com's cookies?


    Joshua Guest

  9. #9

    Default R: Best way to remember a logged in user

    > Without more specific information on the purposes of your particular
    > application I would suggest to make use of php excellent session
    > handling.
    I'm an absolute beginner with this topic, trying to acquire knowledge about
    the most secure method.
    According to you, this method is more secure then cookies and URL
    techniques? I read that if the page is stored in a ISP server shared by many
    users, the session's file stored in /tmp could be accessed by malicious
    users.

    thanks
    Roberto


    Roberto Guest

  10. Moderated Post

    Default Re: Best way to remember a logged in user

    Removed by Administrator
    Gordon Guest
    Moderated Post

  11. #11

    Default Re: Best way to remember a logged in user

    > I'm an absolute beginner with this topic, trying to acquire knowledge
    about
    > the most secure method.
    > According to you, this method is more secure then cookies and URL
    > techniques? I read that if the page is stored in a ISP server shared by
    many
    > users, the session's file stored in /tmp could be accessed by malicious
    > users.
    you can set the path where your session data is stored by:

    session_save_path('/usr/yourpath');

    read also:
    [url]http://nl3.php.net/manual/en/function.session-save-path.php[/url]

    Kind regards,

    DutchFish


    DutchFish Guest

  12. #12

    Default Re: Best way to remember a logged in user

    "Joshua Beall" <jbealldonotspam.remove.me.heraldic.us> wrote in message news:<AeNGb.26055$NZ1.22034nwrddc02.gnilink.net>. ..
    > Hi All,
    >
    > What is the best way to use a cookie to remember a logged in user? Would
    > you store the username and password in two separate cookies? Should the
    > password be plain text? Hashed? Not there at all?
    >
    > Any feedback would be helpful. Thanks!
    >
    > -Josh
    This is a little trick I use (sometimes my sites scale multiple
    servers)

    I set a couple of cookies, all with the same expire time


    1 = userid
    2 = key that is encrypted, represents login is invalid after timestamp
    3 = key that is encrypted, represents browser user-agent

    with that, even if somone sniffed the line or captured the cookies,
    they will not be able to reuse the cookie info

    becouse the scripts check if everything matches, does the cookie of
    the useragent match the browser that is being used? is the timeout
    cookie expired?

    I learned to do this one time while getting paid to write automation
    software getting data access was granted using session id in a cookie,
    well I wrote some software that didn't let the cookie expire and I was
    able to gain access to the data even after the user account was
    closed.

    This was years ago, it was for a client that wanted to automate
    retrieving data from monster.com, he did pay monster for the account,
    but the software worked after the account was closed due to loose
    programming and forethough.



    Mike Bradley
    [url]http://gzen.myhq.info[/url] -- free online php tools
    CountScubula Guest

  13. #13

    Default Re: Best way to remember a logged in user

    "Joshua Beall" <jbealldonotspam.remove.me.heraldic.us> wrote in message news:<AeNGb.26055$NZ1.22034nwrddc02.gnilink.net>. ..
    > Hi All,
    >
    > What is the best way to use a cookie to remember a logged in user? Would
    > you store the username and password in two separate cookies? Should the
    > password be plain text? Hashed? Not there at all?
    >
    > Any feedback would be helpful. Thanks!
    [url]http://martin.f2o.org/php/login[/url]

    --
    "Success = 10% sweat + 90% tears"
    Email: rrjanbiah-at-Y!com
    R. Rajesh Jeba Anbiah Guest

  14. #14

    Default Re: Best way to remember a logged in user

    Regarding this well-known quote, often attributed to Joshua Beall's famous
    "Fri, 26 Dec 2003 18:29:36 GMT" speech:

    (snip original question)
     

    Possibly. If your users can somehow wedge some code, even a small bit of
    it, onto your site, you've got a potential problem.

    For example, I'm on a music purchase service (to be unnamed), that has a
    big insecurity in the messageboards and user best-of lists. The problem is
    that they don't screen for HTML tags. All I'd need to do is make a simple
    JavaScript that --

    1.) "Doent.write"s a form with a bunch of hidden elements. I'd do this
    in script rather than just put it in the message, since their messageboards
    have tight limits on message size.

    2.) Copies the "doent.cookie" variable (this has all the cookies that
    are within the current page's scope) into the FORM HIDDEN element.

    3.) Submits the form to a script on my site.

    -- Then, I place this on my webspace, make a simple SCRIPT SRC="..." tag
    linking to it, and boom, a handy-dandy cookie stealer.

    The thing about this problem is that it can crop up in odd places, too...
    Sites that use user input to make titles or other small information (I
    recall a font-retailer's site that used a GET request variable to write out
    the title of the page). There might be a slim chance, if username checking
    isn't handled well, that people could put tags into a username. If anything
    the user enters gets displayed to the general public, it might be a risk.

    Best off not to put sensitive info in cookies, then.

    --
    -- Rudy Fleminger
    -- and.evil.ones.will.bow-down-to.us
    (put "Hey!" in the Subject line for priority processing!)
    -- http://www.pixelsaredead.com
    FLEB Guest

  15. #15

    Default Re: Best way to remember a logged in user

    "FLEB" <and.evil.ones.will.bow-down-to.us> wrote in
    message news:14xlhsgl8s1jz$net...
     


    if its sensitive, encrypt it, there are sever simple ways to do it, and one
    can always put an index in the cookie, which point to real data on the
    server.

    --
    Mike Bradley
    http://gzen.myhq.info -- free online php tools


    CountScubula Guest

  16. #16

    Default Re: Best way to remember a logged in user

    "CountScubula" <hotmail.com> wrote in message
    news:e_qIb.3898$news.prodigy.com... 
    one 

    The fundamental problem is, though, that in order to login as somebody else,
    you only need to steal their cookies. This is easily doable if it is an
    office computer, lab computer, library computer, etc.

    Someone suggested hashing the user agent and comparing it, which could work,
    although it is no guarantee. IP checking will not work since IPs can
    change, and with AOL, for instance, often change right in the middle of an
    active session!

    Any other ideas?


    Joshua Guest

  17. #17

    Default Re: Best way to remember a logged in user

    > Someone suggested hashing the user agent and comparing it, which could
    work, 

    I believe that was me talking about the user agent, if you added that with a
    couple other things it might work.

    You could also encrypt a timeout, and if that is not a valid cookie, no
    access
    I did this for someone in another post.
    something along the lines of

    $limit = 30;
    $timeOut = time() + $limit;
    $cookieTimeOut = your_fav_way_to_encrypt($timeOut);

    --
    Mike Bradley
    http://gzen.myhq.info -- free online php tools



    CountScubula Guest

Similar Threads

  1. If user logged in statement?
    By barbedwire103 in forum Dreamweaver AppDev
    Replies: 4
    Last Post: April 2nd, 08:55 PM
  2. Replies: 4
    Last Post: August 17th, 10:45 PM
  3. Recognise a logged in user
    By KingWiggi in forum Macromedia Dynamic HTML
    Replies: 0
    Last Post: October 13th, 03:20 PM
  4. Logged in user?
    By Betina Y Andersen in forum ASP
    Replies: 7
    Last Post: September 22nd, 02:47 PM
  5. Identify logged on user
    By Nick Howarth in forum Microsoft Access
    Replies: 1
    Last Post: July 22nd, 09:26 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139