Re: [PHP] Remember me function
Brad Brevet wrote: Is what I have set up and it is working is a cookie that saves someones username if they check the Remember Me box. If the cookie is set it then starts the necessary session and stays active for 30 days. Are there any pitfalls to this that you can see? Are there any additional security measures I should take? As far as passwords are concerned you must have access to the user's specific email address in order to obtain that information, but then again I think that is the only way to relay password information at all, it isn't visibly available in a non MD5 form anywhere on the site. The biggest pitfall is people using public computers and checking Remember Me... I know, that sounds really dumb to you, but they do it. If this is their bank account, I sure wouldn't do Remember Me (at all) If it's not all *that* crucial... The other consideration is if their computer is physically accessed/stolen. Put it this way: Assume the worst-case scenario, and that sooner or later, somebody is going to abuse Remember Me to get to somebody else's data. [Because it *WILL* happen.] Is this going to be a big problem? If so, don't provide Remember Me If you don't provide Remember Me you should allow users to pick their own usernames, as much as possible, and to set their own passwords. It's gotten to the point where sites that require me to login are seldom visited. I never remember what I used to login, and don't want to wait for that email to arrive. Bye. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
Brad Brevet wrote: Nevermind, I figured it all out, thanks for the info. Brad Brevet [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Is this the all I would need to do to set a cookie with a username stored for 30 days? Sorry I am new at this. setcookie (Cookie Name, $username, time()+60*60*24*30); Be sure you provide a path whenever you provide a time to setcookie. Various versions of IE are badly broken and ignore the time part unless there is also a path part. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
On Fri, 3 Dec 2004 07:38:47 -0800, Brad Brevet [EMAIL PROTECTED] wrote: Hey all, I have a log-in all set up on my site using PHP Sessions but I want to add the Remember Me function, but I don't know what to set in the cookie to make it that way. Please help. :) Set a cookie, then check for it later. If it exists, bypass the login and grant a session or whatever you're doing now for logged-in users. You might also want to set a session variable that the cookie has been 'looked for' so it doesn't relog them in on each page request. php.net/setcookie -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
Is this the all I would need to do to set a cookie with a username stored for 30 days? Sorry I am new at this. setcookie (Cookie Name, $username, time()+60*60*24*30); Greg Donald [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 3 Dec 2004 07:38:47 -0800, Brad Brevet [EMAIL PROTECTED] wrote: Hey all, I have a log-in all set up on my site using PHP Sessions but I want to add the Remember Me function, but I don't know what to set in the cookie to make it that way. Please help. :) Set a cookie, then check for it later. If it exists, bypass the login and grant a session or whatever you're doing now for logged-in users. You might also want to set a session variable that the cookie has been 'looked for' so it doesn't relog them in on each page request. php.net/setcookie -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
Nevermind, I figured it all out, thanks for the info. Brad Brevet [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Is this the all I would need to do to set a cookie with a username stored for 30 days? Sorry I am new at this. setcookie (Cookie Name, $username, time()+60*60*24*30); Greg Donald [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] On Fri, 3 Dec 2004 07:38:47 -0800, Brad Brevet [EMAIL PROTECTED] wrote: Hey all, I have a log-in all set up on my site using PHP Sessions but I want to add the Remember Me function, but I don't know what to set in the cookie to make it that way. Please help. :) Set a cookie, then check for it later. If it exists, bypass the login and grant a session or whatever you're doing now for logged-in users. You might also want to set a session variable that the cookie has been 'looked for' so it doesn't relog them in on each page request. php.net/setcookie -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
Brad Brevet wrote: Hey all, I have a log-in all set up on my site using PHP Sessions but I want to add the Remember Me function, but I don't know what to set in the cookie to make it that way. Please help. :) You have several options. One is to do the http://php.net/session_start, and then, if they asked to be remembered, to do another http://php.net/setcookie with the http://php.net/session_name, http://php.net/session_id, time() + 60*60*24*365*2, '/' as arguments. Don't go over 2 years, as browsers are not required to support that. Kinda overkill anyway, as who is going to wait two years to login and expect to be remembered? Another option would be to set cookies with their username and password in them, and to not ask them to login if those cookies are there. But that's risky in that you are storing their password in their cookies, which anybody else with physical access to their computer can not only get into your site, but can get their password in clear-text, and, most likely, they've used that password elsewhere, so now they can break into all that user's accounts all over the place. So this is not a *GOOD* option, even if it's technically possible. Another possibility is to create an http://php.net/md5 hash of a random http://php.net/microtime number and store *that* in their cookies much like the first option -- and store that same md5 hash with their username in a new table in your database. The only real difference between this and the first option is separating out your remember me cookie from the built-in PHP Session ID. Pros and cons either way. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
Is what I have set up and it is working is a cookie that saves someones username if they check the Remember Me box. If the cookie is set it then starts the necessary session and stays active for 30 days. Are there any pitfalls to this that you can see? Are there any additional security measures I should take? As far as passwords are concerned you must have access to the user's specific email address in order to obtain that information, but then again I think that is the only way to relay password information at all, it isn't visibly available in a non MD5 form anywhere on the site. What else should I be worried about as far as security is concerned with Sessions and Cookies? Richard Lynch [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Brad Brevet wrote: Hey all, I have a log-in all set up on my site using PHP Sessions but I want to add the Remember Me function, but I don't know what to set in the cookie to make it that way. Please help. :) You have several options. One is to do the http://php.net/session_start, and then, if they asked to be remembered, to do another http://php.net/setcookie with the http://php.net/session_name, http://php.net/session_id, time() + 60*60*24*365*2, '/' as arguments. Don't go over 2 years, as browsers are not required to support that. Kinda overkill anyway, as who is going to wait two years to login and expect to be remembered? Another option would be to set cookies with their username and password in them, and to not ask them to login if those cookies are there. But that's risky in that you are storing their password in their cookies, which anybody else with physical access to their computer can not only get into your site, but can get their password in clear-text, and, most likely, they've used that password elsewhere, so now they can break into all that user's accounts all over the place. So this is not a *GOOD* option, even if it's technically possible. Another possibility is to create an http://php.net/md5 hash of a random http://php.net/microtime number and store *that* in their cookies much like the first option -- and store that same md5 hash with their username in a new table in your database. The only real difference between this and the first option is separating out your remember me cookie from the built-in PHP Session ID. Pros and cons either way. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
Q: Because it reverses the logical flow of conversation. A: Why is putting a reply at the top of the message frowned upon? On Fri, 3 Dec 2004 10:58:21 -0800, Brad Brevet [EMAIL PROTECTED] wrote: What else should I be worried about as far as security is concerned with Sessions and Cookies? You can use encrypted and compressed PHP sessions, and store them in the database instead of on the filesystem. I use ADOdb which provides all of that. adodb.sf.net -- Greg Donald Zend Certified Engineer http://gdconsultants.com/ http://destiney.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
When I use this feature, I set a cookie to Remember Me that lasts for six months or a year. That's completely independent of any session(s). Often I'll have a 6-month session for storing shopping cart contents, and a 30-minute session for storing login status. All kinds of things going on :) PS - When using a session that lasts a super long time, like 6 months, consider rolling your own session table rather than letting PHP create session text files all over your server. They can accumulate rather quickly. Brian Dunning http://www.briandunning.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Remember me function
Well, is what my plan is, is to create a session on log-in along with a stored cookie, so that once the browser is closed the session is removed and only the cookie remains for the 30-day time period. Brad Brian Dunning [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] When I use this feature, I set a cookie to Remember Me that lasts for six months or a year. That's completely independent of any session(s). Often I'll have a 6-month session for storing shopping cart contents, and a 30-minute session for storing login status. All kinds of things going on :) PS - When using a session that lasts a super long time, like 6 months, consider rolling your own session table rather than letting PHP create session text files all over your server. They can accumulate rather quickly. Brian Dunning http://www.briandunning.com/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php