views:

105

answers:

3

I'm looking for a way for users to be able to connect to my application easily, but rarely. What I want to do is be able to store a cookie with a 1 year life on the user's computer. If they access the website while the cookie is active, they will be automatically logged in.

My proposed solution is this: Upon initial login, create a cookie with the users IP address, last login date, and random number, all hashed together. I will also store their user ID and IP address in cookies as well. These values will also be stored in the database. If after a few months they access the site again, the IP address, ID, and hash match the values in the database, then they are automatically logged in. A new hash is computed. If any of these don't match, then the user will be prompted to log in again.

Are there any obvious security flaws to this design? I am not worried about IP addresses changing, this will be for professors on a university campus.

Thanks in advance, --Dave

+1  A: 

Your question does not make it clear how this system is any different from any other standard long-life cookie. Those are used across the web without significant security problems, so I see no reason you could not also use a cookie in a similar fashion.

Paul McMillan
I am completely self taught in this though. This was a topic I've had trouble researching, so I came up with this concept on my own. If this is how other people do it, then great. But, I just wanted to see if others could tear my idea apart before I implement them.--Dave
the Hampster
A: 

Are there any obvious security flaws to this design?

No.

Andrew
A: 

I would say it's definitely a security risk if someone figures out the system. To be honest, I would rethink that setup, at least the storing it in a database part. Not to mention the fact that cookies very rarely stay on someone's computer for a year anyway, most people clean them far more frequently.

But since you asked, creating it is pretty easy:

$expire = time()+(60*60*24*365);

setcookie("login", "mycookie", $expire, "", "yoursite.com" );

Instead of "mycookie" you could insert that token you were talking about. Hope that helps a little.

Jeremy Morgan
Most people are unaware of the existence of cookies, let alone the idea of clearing them with any frequency. People who do clear them expect to be logged out of websites they were logged into.
Paul McMillan