views:

94

answers:

3

I have a login system. How can I implement a secure remember me system using cookies.

What value should I have to store in cookie username and password, but how I can secure it?

+2  A: 

See:

Sarfraz
-1 Both implementations described on the pages you linked have serious security flaws and thus are absolutely not recommendable.
Gumbo
@Sarfraz: Do you recommend these tutorials because a) it's your expert's opinion that they are excellent b) they came up after an extensive 5 seconds google search and didn't look horrible at first glimpse?
VolkerK
@VolkerK: I guess they were just the first results when [googling for something like “php login remember me cookie”](http://www.google.com/search?q=php+login+remember+me+cookie).
Gumbo
A: 

There's not much to it... don't let your session files get cleaned up (ini setting session.gc_probability = 0), and change the session cookie from temporary to permanent (ini setting session.cookie_lifetime = however_long_you_want_the_user_to_be_remembered).

Of course, you'd probably want to eventually clean up stale session files, so you could experiment with a very low probability of the cleanup occuring, or do some external cleanup. Either way, as long as the user keeps the session cookie around and you keep the session file around, they'll be "remembered".

Marc B
I think a cookie set with `setcookie()` would be a better idea rather than let sessions never expire.
alex
Well, either way, if the user's remembered, the session will be recreated, so might as well keep it around. You can always strip out critical data if there's a large time lapse between visits when the next visit does come in.
Marc B
A: 

Maybe you could create a 16 char letter/number string that is associated in a database with that user and the mac address so that (as long as people aren't trying too hard and spoofing macs) only that machine can log on.

David Watson