What is the best way to handle allowing someone to check a box that says log me in automatically from this computer? I do it now with cookies but it is a pretty straight forward process. Are there any ways to make this more secure?
Depends on your cookies, if right now all you’re using is a cookie that stores the username and that is enough to log them in, that is not secure.
If that’s the case, you could add another cookie that contains a hash of some information and a key like so:
// Log-in script goes here
$_COOKIE['username'] = $username;
$_COOKIE['login_secure'] = sha1("secretcode".$username.$password);
Then when someone accesses a protected page, you can check if the “login_secure” cookie is equal to sha1(“secretcode”.$username.$password) and if it is, the user is correctly logged in.
Your suggestion is only marginally better. An md5 or sha of the username or password can still be lifted or falsified. Same with sessions. If you want either to be secured you have to use https. That said, if someone compromises the client computer the cookie is stored in the clear. Even if its contents are an encrypted hash, that encrypted hash on another computer will allow the hacker to gain access to the system.
And there’s not really much that can done about this. HTTP is by nature a “stateless” protocol. Mechanisms for login/logout have been grafted onto it.
Personally I use sessions, which place a cookie with session id in it, also store session info in the database, with expiry time, client, maybe ip or some other info. That way if the session is called again (the user reloads the site the next day, or what have you) you can then compare the stored session state with the current access state, and if things don’t match destroy the session (or at least reset the cookie on that client). Session information is stored server side, so if you use this method the hackers don’t know what information you store for verification all they know is they can’t access you’re session id from a different PC.
Thanks all for the comments and good ideas. I have a better understanding of the landscape now and the inherent risks in doing this.
Embedding the user agent prevents users from using the cookie with a different browser. It also means Chrome users have a maximum cookie life of 1 month (but that isn’t my fault )
Storing sessions in the database is only really useful if you’re doing load balancing.
It’s also useful for things like: Who’s online, who’s viewing this thread, etc. I have yet to see a way to do this without storing to a database.