tags:

views:

47

answers:

4
Q: 

PHP and cookies

What is the best way for storing users IDs or usernames so they will not have to login every time?

I want to forward user to the members page if the stored ID or username is compared with the one stored in database.

Is is safe to do it using cookies and how can I do that?

+2  A: 

Don't store their username or password in a cookie. Always assume that everyone on the internet can see every cookie on a person's computer. What you should do instead is save the session_id and the IP address they accessed from to your MySQL table, then save the session_id to a cookie. Most browsers will clear session variables when you close the window, but they will not clear cookies. Therefore you first check the session (are they currently logged in), and if they're not logged in then you check the cookie (were the logged in before, and more importantly- was it from this IP address?)

Of course if they have a session_id but they're not at the proper IP address, make them log in. They could just have an ISP with dynamic IPs, or they could have been listening to network traffic and they're trying to get into the admin user without a password.

steven_desu  2010-09-30 14:34:12
+1  A: 

This feature should be optional to let people log in from internet-cafe and such, not leaving their data open to everyone.

Yes. a cookie is the only possible way to mark a browser.
You have to store some uniqie and unpredictable value there. Generate some hash out of user's data, store it in the database along with other user data and set it as a cookie

Col. Shrapnel  2010-09-30 14:34:33
A: 

With my sites, I use a custom written Session class. This stores a sess_id and sess_hash in a cookie, which is unique for the current user. An IP address is also stored in the database, and checked against the current IP to verify it is the same computer, but that is not the main authentication mechanism. Data is then stored, serialised and base64'd in the database. I would advise against using PHP Sessions, because they can be accessed by any user with the ID. Someone posting a link to something with the PHPSESSID in it, can, for example, let them log into their account.

Thomas O  2010-09-30 14:51:41
PHP Sessions to not pass ID in the links by default. Your advise is based on ignorance. You have to learn this topic better. And, as a matter of fact, your approach is more vulnerable to session fixation, as it seems keep the same ID forever
Col. Shrapnel  2010-09-30 14:53:43
PHP Sessions sometimes do pass the ID in the URL. I have never figured out why it does it only occasionally. I suspect it has something to do with cookie support in the browser.
Thomas O  2010-09-30 14:55:10
The ID is sequentially unique to each log in and each session. The hash is a UUID. So it is not vulnerable to anything except brute force attacks and/or side channel attacks (e.g. in the UUID not being random.)
Thomas O  2010-09-30 14:57:04
You suspect it wrong. it has something to do with PHP settings. Which can be set in any state you want. And your ID is still catchable due to sniffing/XSS
Col. Shrapnel  2010-09-30 15:18:12
The ID may be catchable, as may the UUID. But without these two details, you cannot access the session. Also, the IP must match. The ID is sequential but the UUID is not.
Thomas O  2010-09-30 16:27:56
I have also seen the PHPSESSID= on some of my pages but only occasionally. Like once in a hundred times or so.
Thomas O  2010-09-30 16:29:14
I think the session ID is passed after a sufficient amount of time has passed for the session to time out. I've noticed I see it a LOT more often on forums than many other websites, and I usually spend a long time typing responses on forums. In either case, PHP session IDs require an IP address to be valid. The only reason I said to cache the IP in my answer was because you weren't getting a PHP session, but a cookie with the same value (which does not compare the IP)
steven_desu  2010-09-30 18:17:24
A: 

The safest way is to require a valid SSL certificate from the browser, and validate the user-agents certificate server sided. However, in any browser I've seen installing such certificates is a big enough pain & hurdle for users that it's probably not suited for a public website. It can however sometimes be seen in intranets.

Wrikken  2010-09-30 20:42:09

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?