currently im using session to log in the user. but when i close the browser and open it again i have to log in again. how do you keeo the user logged in in lets say 2 weeks.
is it through cookies then?
A:
Yes. You use cookies to implement the "auto login" (or "remember me") functionality.
This google search or SO search results, should point you to a right direction.
Jan Hančič
2009-12-09 22:06:55
A:
Yes, you should do that using cookies. Here's the manual entry: http://php.net/manual/en/features.cookies.php
Alternately, you can take a look at this function: http://php.net/manual/en/function.session-set-cookie-params.php. It allows you to modify session cookie settings like its lifetime...
Franz
2009-12-09 22:07:30
+1
A:
Read this: http://www.php.net/manual/en/session.configuration.php
The setting that you need is session.cookie_lifetime. Session cookies (eg ones that do not have a lifetime) are deleted when the browser is closed. If you want the sessions to stay alive for longer, set that setting in php.ini, httpd.conf, or .htaccess. Possibly even with ini_set
Edit: Actually you can use this function:
session_set_cookie_params (86400*30);
session_start()
86400*30 is 30 days.
See here: http://www.php.net/manual/en/function.session-set-cookie-params.php
gahooa
2009-12-09 22:07:51
+8
A:
So you want a "Remember me on this computer" option? Here's a language-agnostic way how you can do it:
- Create a DB table with at least
cookie_idanduser_idcolumns. If necessary also add acookie_ttlandip_lock. The column names speaks for itself I guess. - On first-time login (if necessary only with the "Remember me" option checked), generate a long, unique, hard-to-guess key which represents the
cookie_idand store this in the DB along with theuser_id. Also store this as cookie value of a cookie with a before specified cookie name. E.g.remember. Give the cookie a long lifetime, e.g. one year. - On every request, check if the user is logged in. If not, then check the cookie value
cookie_idassociated with the cookie nameremember. If it is there and it is valid according the DB, then automagically login the user associated with theuser_idand postpone the cookie age again.
As to the security risks, if the key is long and mixed enough (at least 30 mixed chars), then the chances on brute-forcing the login are negligible. Further on you probably already understood what the optional column ip_lock is to be used for. It should represent the IP address of the user. You could eventually add an extra checkbox "Lock login to this IP (only if you have a static IP)" so that the server can use the user's IP address as an extra validation.
And what if one hijacked the cookie value from an user without an IP lock? Well, there's not much to do against this. Live with it. The "remember me" thing is funny for under each forums and account-hijacks wouldn't hurt that much there, but I would certainly not use it for admin panels and that kind of webpages which controls the server-side stuff.
It's after all fairly straight forward. Good luck.
BalusC
2009-12-09 22:14:45
I think it would be a good idea to store users-agent in a database, because it is pretty illogical that the same user will want to be remembered in both IE and firefox. In fact everything that can be mined from request should be stored in order to prevent cookie stealing, shouldn't it?..
Saulius Lukauskas
2009-12-09 23:39:10
Doable, but it would fail if the user upgraded the UA.
BalusC
2009-12-10 01:52:41
Well is way better for user to enter his details again, than for an intruder to get his access.
Saulius Lukauskas
2009-12-10 13:39:34