SitePoint Sponsor

User Tag List

Results 1 to 12 of 12
  1. #1
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)

    Login System Assistance

    I'm having trouble locating a straight forward answer to this question so any help would be appreciated. I currently have a login system implemented for a project I'm currently working on. Currently, the login system is only session based. So once someone closes the browser the next time they visit they need to log back in. I prefer that the system be able to remember them and log them in automatically upon their next visit. What are my options for creating such system that is secure in detail? For example, I understand that sensitive information should never be stored in cookies, so what would be the best way to store user information in a cookie that would make it possible for the system to log the user back in automatically? I'm more or less looking for hypothetical solutions at this point.

    thanks

  2. #2
    SitePoint Enthusiast Dharma's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    60
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could store a session id in the cookie which maps to a stored session in your backend. But I'd at least rotate that per each re-login. But it's the least sensitive you can get as for cookie recognition, imho.
    <samsara>You are here.</samsara>

  3. #3
    Twitter: @AnthonySterling silver trophy AnthonySterling's Avatar
    Join Date
    Apr 2008
    Location
    North-East, UK.
    Posts
    6,111
    Mentioned
    3 Post(s)
    Tagged
    0 Thread(s)
    Surely, not requiring a log in is intrinsically insecure?

    I would think, you would have to move session storage to a database. Placing a cookie on the client with a unique id, you would then compare this cookie value to the users IP address and quite possibly the user agent stored within the database.

    To be fair, it's still too insecure for my liking. If the system requires secure access for users, it has to be just that, secure.
    @AnthonySterling: I'm a PHP developer, a consultant for oopnorth.com and the organiser of @phpne, a PHP User Group covering the North-East of England.

  4. #4
    Django Jedi neron-fx's Avatar
    Join Date
    Sep 2007
    Location
    Bristol/Bath, UK
    Posts
    274
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I agree with SilverBullet,

    There are many ways that you could go about this, but the type of system is insecure by nature. What if someone logs on from an internet cafe or a shared computer?? You whole system is compromised in one visit by one user on one machine, so what's the point?!

    If you do that its as good as having no login at all. However I feel your pain . Users are lazy and fickle creatures by nature and will always bemoan issues like the one you have stated. But you have to stick to your guns. Security is security. If something is worth protecting then you need to do everything in your power to ensure the integrity of your security features not compromise them by implementing solutions like above.

    Good luck to you,

    Cheers
    Neron-Fx
    Everytime a user opens Internet Explorer, a web developer dies...
    http://www.savethedevelopers.org/

  5. #5
    SitePoint Zealot busylinks1's Avatar
    Join Date
    Nov 2008
    Posts
    160
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    why not you use simple way first encrypt the data and then store it into cookies...
    after word get vaule from cookies, decrypt it and use...

    What you say?

  6. #6
    SitePoint Zealot stuffedbuggy's Avatar
    Join Date
    Sep 2008
    Posts
    187
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You could have a script inbedded within the page that creates a random numeric string, place that in a cookie, store the random numeric string in a database table separate from user information.
    when checking cookies for login... Run a foreach loop quering the database table with all the numeric cookie id's, if it finds a match, then the information from the user_info table would be retrieved, and thus you have automatic login by cookie without revealing sensitive information.
    Just be sure that you query the database before a new cookie id is created...
    You know you cooler than me...

  7. #7
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    My current thought is similar to stuffedbuggy's idea. Create a table used for storing user and code comibinations. In that table have a code and user name column. Every time a new session is initiated and the user would like to have the system remember that they are logged in generate a unique string from all others that exists in the table as codes and create a cookie on the users computer with that string. Then all that is needed is to match that cookie value to one in the sessions table. Does that sound like a good solution? I could even use a one way encryption on the stored cookie value for added security if need be.

  8. #8
    SitePoint Enthusiast
    Join Date
    Nov 2008
    Location
    New York
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    You are still facing the same 'internet cafe' problem pointed out by neron-fx either you encrypted or not...
    www.forkaya.com - Web Development, PHP Scripting

  9. #9
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    How would you recommend I resolve that problem while still accomplishing the objective?

  10. #10
    SitePoint Enthusiast
    Join Date
    Nov 2008
    Location
    New York
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The only thing I can suggest is to use 'Remember Me' or 'Keep Me Login' option along with the cookie solution so if somebody is using 'public' machine they leave this option unchecked and cookie is not left behind when they log out or session times out (or cookie expires depending on your impl.), if you really need to offer this option.
    www.forkaya.com - Web Development, PHP Scripting

  11. #11
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2006
    Location
    Augusta, Georgia, United States
    Posts
    4,147
    Mentioned
    16 Post(s)
    Tagged
    3 Thread(s)
    I was planning on implementing that option, anything else?

  12. #12
    SitePoint Enthusiast
    Join Date
    Nov 2008
    Location
    New York
    Posts
    90
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Nothing significant that I can think of... Sometimes sites will ask you to provide password if you are trying to do some actions or get to area of the website with sensitive info even if you are logged in. If you want to go this path or not depends on nature of your site. Also sensitive info (for example credit card number or bank account number) can be partially masked so if the user is not the one owning the account, he/she is still not able to 'steal' somebody else's personal data.
    www.forkaya.com - Web Development, PHP Scripting


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •