I want to implement a "remember me" feature on a website I am currently working on, so that when a user closes the browser and open it again, he will still be logged in with the same user.
What i currently have is a log in page that creates a session when the user logs in. What I want to do is to create a cookie that saves information about the user that allows me to identify him.
Now there are a few thing that I need your help about:
I don't want to save any sensitive information in the cookie, such as passwords or even a username. What i though to save is the session ID created when he first logged in, and save it in a table on MySQL database. Is that a good idea, or is there something better that i can save on the cookie?
After I implement the "remember me" feature, will I still need to use sessions? What I mean is, that the website have the option to use it without a user, so of course on every page of the website I will have to check if the user have a cookie stored. If he does I will automatically log him in, but should I do it using a session? isn't it a duplicate that I use both cookies and session for the same purpose, and of course do it for every single page of the website.
By the way I am developing the website using PHP.
It doesn't really matter. Only I would refrain from reusing this value as a session id again.
Yes, you will still need sessions, unless your site is extremely simple.
You can store the md5 of the cookie in the database...but just remember. If a user has multiple devices you get a cookie for each device.
If you don't clean your table once in a while it's going to contain lots of data!
Related
My question it is how i make safe cookie? In my site users login and engine create cookie "userid" and value it is username. But Problem it is all user can make same cookie and get what account he want. And the reason why i use cookie it is the time. I want to create cookie what is active in 15 minutes and if user use in login "remember me" cookie is active 1 mounth.
There is the code what i paste in JavaScript Console and create same cookie what engine create:
document.cookie="userid=what username i want to use";
So how i solve this problem? What is safest and best way to do this cookie / session?
Thanks for help!
User login is usually handled with PHP sessions because its server sided an no user can change the data on the server. Your question really is how to identify a user that came back to the website.
By default, if you start a session with PHP a cookie is generated called PHP_SID with a unique hash which is practically un-guessable by manually changing it. The chance of duplication is so low that its unique per user.
If you wish to improve on that security you can check the users browser-user-agent to see if it matches the previous visit to your website.
Now that you have a specific user ID your session data will automatically load up and you have your user data available in PHP to be printed out on your website.
Is it possible to set a cookie with the session that has been created and with the session ID and then retrieve the session from the cookie next time you visit the page. I am trying to make a remember me button on my login page and wondered if this could be done this way.
Do not try to prolong a PHP session in order to build "Remember Me" feature. It's much better to re-initialize the session.
The most common scenario is this:
When a user comes to a website with checked "Remember Me" checkbox, the website generates a unique code (a pretty long random string) and stores it in the cookies and a server side database.
When the user closes a browser the session closes, but cookie stays.
The next time the user comes the server will see the cookie, find it in the database and authenticate him based on the code instead of user/password pair.
This would be a good starting point, but in addition there are several enhancements are possible:
You could save a username in the cookie along with the unique code. It's safer and faster to authenticate using this pair.
You could save a user's IP in the database, so that authenticating data will work from this IP only.
Instead of generating the unique code and saving it to the database, you could build the code on the fly as a hash based on user password plus salt. This saves your database from write operations.
Based on security/speed requirements there could be variations of this scenario, but the base stays the same: mark a user using cookie, re-authenticate him once he comes back.
I am using PHP and Codeigniter to do this. Currently I am just saving a cookie to the user with their username and a $logged_in variable set to true. Then when they try to access a page, I check for the status of their $logged_in, and if they are, they're free to access.
It occurs to me that this may not be the safest way to go about this. Is there a better tactic I should be using?
It's not safe at all. Cookie is considered user input and it can't be trusted in any case.
Use sessions instead.
Also you could use some sort of custom login encrypted code (I'd personally suggest SHA1) that is matched against the login code in the database and is refreshed every, let's say, 5 minutes.
CodeIgniter offers a nice solution to this problem - You can use Database Sessions.
With Database Sessions, all the data you put in a session is stored within your SQL database. The user gets a cookie with a unique session ID that changes on a regular basis. The session ID along with IP and User Agent is used to match up the user with their session data, thus making it impossible for users to tamper with their own session data, and very hard for them to hijack someone else's session.
You can read more about CodeIgniter Database Sessions in the CodeIgniter User Guide.
I am trying to understand security when it comes to session cookies in php. I've been reading a lot about it, but I still lack the specifics. I need the basics, someone to show examples.
For example: Do I place session_regenerate_id() before every session cookie? What more shall I think about. I am asking about specifics in code - examples if possible.
Thank you very much.
I am using 4 session cookies after logging in.
SESSION "site_logged_in" = true
SESSION "site_user_nr" = the number of the user to access user_table_nr
SESSION "site_user_id" = the user's id to use when changing data in tables
SESSION "site_user_name" = the name of the user to display on page
When I check if the user has access, I check if all 4 cookies are set, and if site_logged_in is set to true.
Are there better ways? Do I have the completely wrong idea about this? Can users easily be hacked?
In fact you need to have only one session in your website. When you call session_start() session is being created on server and user automatically gets session cookie. Think like session is a some sort of container that placed on the server, you can put whatever you want in that container. However session cookie is just a key to access that container on the server.
It means that you can safely put some data in the $_SESSION and only the user that have cookie with matching session id can read it.
About users being hacked. Yes they can be hacked as long as you don't use HTTPS connection, because cookies and all other data is being transferred in clear text, so if someone intercept users cookie he can access the data stored in the session.
Always use a security token for logging users. This security token could be generated by using crypt(). After logging users in, change the security token periodically until they log out. Also keep the server backup of all the session variables including the security token (in a database). This would also help you to track user login history.
One more personal suggestion: Never use any data from the database as session variables without encrypting it with any of the hashing functions or functions like crypt().
The session information is stored server-side. What you should check is that they're logged in, and that they exists/can log in (in case of deletions/bans).
As you're checking they exist/can log in, you can pull the other information from the database such as name, nr and so on. All you really need is a key called 'logged_in_user' or something that stores the ID of the logged in user. As Alex Amiryan said, the cookie can be copied, so you might also want to store the IP address of the last accessing view in the session, so you can try to ensure security.
I have a really, really poor understanding around security and safety when building websites - what I want to do is store the information the user enters to log in into a cookie so that I can do two things:
Check the cookie from flash (via a php file) to grab information about a logged in user (if at all). This will be used for highscore APIs, etc.
Automatically log in a user when they come back to my site.
The site itself doesn't really have any important information etc, so I mean it doesn't have the be the most secure thing on earth (or even close). But I'd like it to not be tampered with if possible.
From my understanding, storing user information in a cookie can be bad because the user can just alter the cookie and be logged in as someone else.
I was thinking; is it reasonably safe to do something like this?:
When the user logs in, store an MD5'd version of their email address (used to log in). This way at least it's extremely unlikely that they will be able to modify the information to reflect another user in the database.
Because someone could just MD5 an email address that they know someone else uses for the site and change their cookie to reflect that, should I maybe store their MD5'd password alongside it and then use these to attempt a login at every page? Only thing is that this seems like it would be slow/non-strategic because it's needing to basically re-login with the information in the cookie every page.
This approach probably seems really strange, but would it work fine? The main requirement I have is that if the user is logged into my site, playing my flash games anywhere on the internet will automatically pick up that they're logged in and work with their information.
Use PHP sessions.
Php stores the session id in a cookie on the browser, and everything else in the session is stored on the server. Your flash script should be able to the the session id from that cookie and maybe you can write a php file that will return the information that the flash file needs when the flash file passes in the session id?
Because session ids are more or less random, it is difficult for the user to change their session cookie and accidentially access the login of another user.