I have implemented a login class in PHP, and want to create a remember me type functionality so users won't have to login with each visit. I have researched this a bit and was preparing to write it using PHP setcookie(...) but then ran across this page: How to Create 'Remember Me' using jquery , store cookies. I was planning on writing this in PHP since it's my strength, but this page makes it look so easy in js: .html
I am looking for a little guidance on gotchas for each method, and more specifically issues related to security. I just want to make sure I don't plicate the task or open any holes by providing this type of functionality.
Thanks, Kris
I have implemented a login class in PHP, and want to create a remember me type functionality so users won't have to login with each visit. I have researched this a bit and was preparing to write it using PHP setcookie(...) but then ran across this page: How to Create 'Remember Me' using jquery , store cookies. I was planning on writing this in PHP since it's my strength, but this page makes it look so easy in js: http://www.quirksmode/js/cookies.html
I am looking for a little guidance on gotchas for each method, and more specifically issues related to security. I just want to make sure I don't plicate the task or open any holes by providing this type of functionality.
Thanks, Kris
Share Improve this question edited May 23, 2017 at 12:04 CommunityBot 11 silver badge asked Jun 26, 2011 at 14:43 KristoferKristofer 3716 silver badges15 bronze badges 1- Is this a “How can I set a cookie?” question or a “How can I implement a remember me funcationality?” question? – Gumbo Commented Jun 26, 2011 at 14:46
3 Answers
Reset to default 4OpenID, facebook connect, twitter signin
I would advice you not to right(read below for cookie rememberme information) your own login system, because coding a secure system is difficult(storing password secure is HARD). It also saves you a bunch of coding. For example when you sign in at my openid example using google you can tell Google to remember you for 30 days. The code used for my example can be found at my github page.
Http_only
You should use http-only cookies to protect yourself against cookie stealing(Try not to use cookies from javascript). The php function setcookie also has a http-only flag. For session you could achieve this using something like:
<?php
ini_set("session.cookie_httponly", 1);
// or
session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
?>
Do not Store data inside cookie
Also you should store as little information possible inside the cookies. Get the data from database(session). I think you easily acplish rememberme cookies setting the expire of your sessions as high as you like, but not to high if you ask me.
Interesting read
This is also a pretty interesting read to improve session security: http://web.archive/web/20120417214604/http://segfaultlabs./files/pdf/php-session-security.pdf
It doesn't make much sense to create an identification token on the server, send it to the client and set there using Javascript pared to setting it at server-side in the first place.
More importantly, using Javascript makes it patible with less clients, less robust, and less secure (as you cannot use HTTPOnly cookies).
Main problem is that when your site is used through not encrypted channel (regular HTTP, open WiFi network), everyone can get in possession of that cookie and gain an ability to login in behalf of your user.
There are few protection methods:
- encoding browser/workstation-specific data in that cookie,
- using HTTPS for everything,
- using other storage (not cookies) - it is less possible that a script kiddie with Firesheep will try to capture
localStoragedata.
Also, as Gumbo mentioned (his ment is now gone and I have no idea, why), this applies for any session-based authentication. So, you PHP session has the same vulnerability (as it is still somehow cookie-based).
发布者:admin,转转请注明出处:http://www.yc00.com/questions/1745407648a4626386.html
评论列表(0条)