tags:

views:

105

answers:

3
Q: 

long term cookie

I'm looking for a way for users to be able to connect to my application easily, but rarely. What I want to do is be able to store a cookie with a 1 year life on the user's computer. If they access the website while the cookie is active, they will be automatically logged in.

My proposed solution is this: Upon initial login, create a cookie with the users IP address, last login date, and random number, all hashed together. I will also store their user ID and IP address in cookies as well. These values will also be stored in the database. If after a few months they access the site again, the IP address, ID, and hash match the values in the database, then they are automatically logged in. A new hash is computed. If any of these don't match, then the user will be prompted to log in again.

Are there any obvious security flaws to this design? I am not worried about IP addresses changing, this will be for professors on a university campus.

Thanks in advance, --Dave

+1  A: 

Your question does not make it clear how this system is any different from any other standard long-life cookie. Those are used across the web without significant security problems, so I see no reason you could not also use a cookie in a similar fashion.

Paul McMillan  2009-11-20 00:47:38
I am completely self taught in this though. This was a topic I've had trouble researching, so I came up with this concept on my own. If this is how other people do it, then great. But, I just wanted to see if others could tear my idea apart before I implement them.--Dave
the Hampster  2009-11-20 05:40:12
A: 

Are there any obvious security flaws to this design?

No.

Andrew  2009-11-20 00:51:51
A: 

I would say it's definitely a security risk if someone figures out the system. To be honest, I would rethink that setup, at least the storing it in a database part. Not to mention the fact that cookies very rarely stay on someone's computer for a year anyway, most people clean them far more frequently.

But since you asked, creating it is pretty easy:

$expire = time()+(60*60*24*365);

setcookie("login", "mycookie", $expire, "", "yoursite.com" );

Instead of "mycookie" you could insert that token you were talking about. Hope that helps a little.

Jeremy Morgan  2009-11-20 00:52:57
Most people are unaware of the existence of cookies, let alone the idea of clearing them with any frequency. People who do clear them expect to be logged out of websites they were logged into.
Paul McMillan  2009-11-20 01:04:23

related questions

Web framework programming mindset
ASP.NET - asp:xxx Controls versus standard HTML
From Desktop to Web browser considerations
Which PHP Framework will get me to a usable UI the fastest?
Best practice for integrating TDD with web application development?
How to Manage Web Development?
When is a file just a file?
Recommendations for browser add-on tools to help with development
REALLY Simple Website--How Basic Can You Go?
Convince Firefox to send an If-Modified-Since header over HTTPS
What do the getUTC* methods on the date object do?
Planning and Building a mobile enabled site for your main site.
Firebug for IE
Javascript and PHP - Login Script with hidden buttons
Firebug won't display console feeds for some of my sites
Displaying ad content from Respose.WriteFile()/ Response.ContentType
How can I detect if a browser is blocking an popup?
How to Test Web Code?
What PHP framework would you choose for a new application and why?
How do you disable browser Autocomplete on web form field / input tag?
What is Progressive Enhancement?
In HTML, how to word-break on a dash?
The Definitive Guide To Website Authentication
How do you test layout design across multiple browsers/OSs?
How much of the Web build process do you/should you automate?