#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    201
    Rep Power
    4

    Remember Me (not literally)


    Hi,

    I have built a custom built site in Codeigniter.

    I have added a [] Remember Me check box to my sign in form.

    I want the browser to remember the users details and keep them logged in for 1 week if they select that option.

    I understand that using cookies can cause some security threats.

    Can anyone offer any advice on how i should go about setting this up, thanks in advance for your help...
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    We discussed this here and here. The first link has a complete implementation described.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2011
    Posts
    201
    Rep Power
    4
    Excellent, great write up in the first link... quick question: how long should you set it to remember the user for.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    maybe I'm missing something, but this complicated approach in the first link makes absolutely no sense to me. Why not just overwrite the default session cookie and change the expire date?

    Actually, that home-made hash is less secure than the usual session IDs, because it's not random. It's possible to derive the ID from known data. And even if you don't know all data, you can still reduce the number of possibilities. A random number, on the other hand, cannot be derived at all (if was generated in a cryptographically secure way). You'd actually have to try out all possible hashes.

    So I'd strongly suggest not using this approach and simply tweaking the standard session cookie.
    Last edited by Jacques1; January 8th, 2013 at 11:49 AM.
  8. #5
  9. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Originally Posted by oo7ml
    Excellent, great write up in the first link... quick question: how long should you set it to remember the user for.
    That's up to you. Many sites use 2 weeks, but some refresh it every time you log in (like devshed).

    This approach also prevents the session/login from being destroyed when your filesystem sessions are cleaned up. If you simply extended the session forever, you also have to override the session garbage collection function (which requires access to your hard drive and your PHP install, which you may not have). By performing an actual auto-login based on the cookie and sourced from the database, you're allowing PHP to continue managing your actual "sessions" normally, as that's what they're for. Sessions are supposed to die at the end of the browsing session, not be extended for months. Plus, the auto-login solution keeps session size down since only the active members have sessions, not everyone.

    Though to be fair, I have three devshed session cookies and one of them expires in mid May. Devshed also stores hashed usernames and passwords in the cookies though, so don't use them as a design journal.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    PHP has built-in methods to change the lifetime of both the session files and cookies, so no reason not to use them.

    In any case, the cookie approach is not secure for the already mentioned reasons. It completely relies on "security by obscurity". Even worse, the data itself isn't what most people consider secret, so a good social engineer might get the user to simply tell him the browser, the IP etc.

    For proper IDs, you have no other choice than to use a cryptographically secure random generator.

    Another problem of the "cookie session" is that it requires the IP to not change during session lifetime. This makes the whole approach very fragile, because the user's provider might automatically change the IP (like every 24 hours), or the user himself disconnects or uses different proxies or something like Tor.

    So this is hardly a good solution. If you don't like extending the standard session cookie lifetime, you'll have to implement your own session management on the server -- which isn't all that difficult. Simply store the sessions in your database and implement a garbage collector to delete them after a certain time.
    Last edited by Jacques1; January 8th, 2013 at 02:20 PM.
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    165
    Rep Power
    18
    There was also an IP check on dan's method.

    However i usually throw a random number in with my hashing as well.

    I dont like extending sessions just because i use sessions for much more than just login data and sometimes dont want that data to follow the next time the user logs in

    Originally Posted by Jacques1
    PHP has built-in methods to change the lifetime of both the session files and cookies, so no reason not to use them.

    In any case, the cookie approach is not secure for the already mentioned reasons. It completely relies on "security by obscurity". Even worse, the data itself isn't what most people consider secret, so a good social engineer might get the user to simply tell him the browser, the IP etc.

    For proper IDs, you have no other choice than to use a cryptographically secure random generator.

    Another problem of the "cookie session" is that it requires the IP to not change during session lifetime. This makes the whole approach very fragile, because the user's provider might automatically change the IP (like every 24 hours), or the user himself disconnects or uses different proxies or something like Tor.

    So this is hardly a good solution. If you don't like extending the standard session cookie lifetime, you'll have to implement your own session management on the server -- which isn't all that difficult. Simply store the sessions in your database and implement a garbage collector to delete them after a certain time.
  14. #8
  15. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Originally Posted by portcitysoftwar
    There was also an IP check on dan's method.
    IP based authentication doesn't work on the Internet, as I already said. IP addresses can be shared and changed at any time.

    I mean, why do you think all websites put so much effort into generating session IDs and sending session cookies instead of simply using the IP address?



    Originally Posted by portcitysoftwar
    However i usually throw a random number in with my hashing as well.
    If it's a good random number (cryptographically secure, long enough and not constant), you might as well only use that and leave out all the other stuff -- which is exactly what I suggested and what standard PHP sessions do.

IMN logo majestic logo threadwatch logo seochat tools logo