How do you implement this in CI ?
+13
A:
(This answer was a response to the original question)
How would you do this ? Or, how would you create a session with a longer expiration date than the others ?
*All created sessions would use the same $config['sess_expiration'] in the config file (default: 7200 seconds), is there a way to pass a custom value ?*
Extending the expiration of a session cookie isn't going to work for a "remember me" feature, since the user will lose their session cookie when they close the browser. If Code Igniter doesn't have a native "remember feature", then you'll need to write something to drop a long-life cookie which contains information which will allow an automatic login when the server sees it again.
There's a good article on Persistent Login Cookie Best Practice, which can be summarized as:
- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.[2]
- The login cookie contains the user's username and a random number (the "token" from here on) from a suitably large space. The username and token are stored as a pair in a database table.
- When a non-logged-in user visits the site and presents a login cookie, the username and token are looked up in the database. 1. If the pair is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username, and issued to the user via a new login cookie. 2. If the pair is not present, the login cookie is ignored.
- Users that are only authenticated via this mechanism are not permitted to access certain protected information or functions such as changing a password, viewing personally identifying information, or spending money. To perform those operations, the user must first successfully submit a normal username/password login form.
- Since this approach allows the user to have multiple remembered logins from different browsers or computers, a mechanism is provided for the user to erase all remembered logins in a single operation.
Another article which builds more security onto those ideas in Improved Persistent Login Cookie Best Practice
If you follow the practices in those articles, you won't go far wrong!
Paul Dixon
2009-01-07 11:09:53
yup, good article but not exactly what I'm looking for. What I want to know is a way to do that particular task (setting up a longer session than the other ones) in CI :D
andyk
2009-01-07 11:19:40
Extending the expiration of a session cookie isn't going to work for a "remember me" feature, since the user will lose their session cookie when they close the browser. If Code Igniter doesn't have a native "remember feature", then the ideas presented above will help you implement one.
Paul Dixon
2009-01-07 11:48:24
okay, now I see the flaw in the question. It should be "How do you implement this in CI?". Silly me. I'll wait a bit before going with your suggestion. Thanks Paul.
andyk
2009-01-07 12:21:49
+3
A:
You might want to reconsider the suggestion from 'Improved Persistent Login Cookie Best Practice'. I've posted my analysis of the problem on the site, but the gist of it is this:
You can not prevent cookie stealing without a secure line, no matter what
(*By 'secure line', I mean SSL / VPN tunneling / public-key encryption - or a robust challenge-response scheme *)
I'm all for persistent login best practices, but there's a point where no amount of trickery is going to help, and where the only way up is SSL.
Jens Roland
2009-01-25 04:05:34
The last one, posted in the name 'Jens Roland'. It should be on the second page of comments (http://jaspan.com/improved_persistent_login_cookie_best_practice?page=1)
Jens Roland
2009-01-25 19:05:40
SSL doesn't really solve anything. Background info: http://fishbowl.pastiche.org/2003/10/20/whats_your_threat_model/The majority of attacks against cookies are either XSS, browser bugs or compromising the client. Setting httpOnly fixes XSS (no SSL Required), and SSL does nothing to fix the others.
Charles Miller
2009-01-29 02:14:12
Even if it is in no way foolproof, SSL still has a better-than-average chance of thwarting the #1 attack mode (interception over the wire). #2 and #3 are just plain game over and beyond the scope of an authentication measure, and as you said, httpOnly fixes #4.
Jens Roland
2009-01-29 05:40:47
You're just paraphrasing what I quoted in the aforelinked post: "Well, in a nutshell, we won't protect against the end system attack, because its really difficult. And we'll ignore DOS because that's too difficult too. But we'll cover the entire on-the-wire threats… because… we can!"
Charles Miller
2009-02-03 23:00:18
Yes, but only to address the statement that SSL doesn't solve *any*thing, which isn't entirely the case. But maybe I should have qualified my original statement better: You can not prevent cookie stealing _over the wire_ without a secure line, no matter what.
Jens Roland
2009-02-04 04:07:22