Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help Auto Login in / remember me function
Auto Login in / remember me function
  • Offline bboni
    Newbie
  • *
  • Posts: 3
    Threads: 2
    Joined: Jan 2015
    Reputation: 0
#1
01-22-2015, 04:17 AM

Hi,

If I have a login page which also has an remember me checkbox, what would be best practice to save the user data on a secure way which will auto login/remember the user the next time he visits the site.

It could be either done by Sessions cookies or by custom cookies. With a Session I can have a boolean data value named is_logged_in and if it's true it will automatically log in. Also if the users checks remember me, the session time will be upgraded like mentioned in this post:
http://stackoverflow.com/questions/14550...me-feature

Or i can do it with cookies, like mentioned in this post:
https://ellislab.com/forums/viewthread/113781/

So i wanted to ask, what do you guys think. Which approach for auto login/remember me would be best practise and secure.

Thank you.
Reply
  • Offline waqas
    Noob
  • *
  • Posts: 3
    Threads: 1
    Joined: Jan 2015
    Reputation: 0
#2
01-25-2015, 10:00 AM

I would prefer the first method mentioned in the post. Nothing insecure about it and personally i would have used it.
Reply
  • Offline ivantcholakov
    Senior Member
  • ****
  • Posts: 668
    Threads: 17
    Joined: Oct 2014
    Reputation: 37
#3
01-25-2015, 01:59 PM
(This post was last modified: 01-25-2015, 02:00 PM by ivantcholakov. Edit Reason: A typo )

I've seen readings in Internet that reject "Remember Me" as an anti-pattern, don't remember where, you may search. For an administration panel "Remember Me" I would not use for sure. If you intend to use "Remember Me" on the front-end, make sure somehow that the front-end and the back-end use sessions with different names.

I saw this library first: https://github.com/jenssegers/codeignite...on-library and this article: http://jenssegers.be/blog/12/codeigniter...ibrary-1-3

There some readings are mentioned:

http://fishbowl.pastiche.org/2004/01/19/..._practice/
http://jaspan.com/improved_persistent_lo...t_practice

And at the end I came to my implementation of the "Remember Me" feature, maybe I am not pointing at all the necessary files:

https://github.com/ivantcholakov/starter...ologin.php
https://github.com/ivantcholakov/starter...t_user.php

The authetication model (or library if it is implemented so) should track how an user has logged in. In case of autologin, before making some critical operations (password change, account deletion, payment, etc.) the user should be forced to login truly.

It is funny what amount of work creates just one additional check-box within the login form.

Offtopic: I had no an occasion yet, but I think, such and enforcement for true login before critical operations is good to be applied in cases of external authentications - through Facebook, OpenId, etc.
Reply
  • Offline stopz
    Junior Member
  • **
  • Posts: 23
    Threads: 6
    Joined: Jan 2015
    Reputation: 3
#4
01-26-2015, 02:51 AM
(This post was last modified: 01-26-2015, 02:51 AM by stopz.)

I would save a cookie like
Code:
remember = 'HyWE32' //expires next week

And then have mysql table with
Code:
remember_id[VARCHAR(6)], user_id[INT], expires[DATETIME]

And onVisit i would see if cookie remember exists in db, if it does then extend cookie and mysql by 1 week, else delete cookie and leave not logged in.

To make it more secure you might add IP to your mysql db table and check if cookie is or was not stolen to be accessed but this may cause issues with Dynamic IPs of your visitors.

// Don't blame for simplicity it's just one way to do this >)
Reply




Theme © iAndrew 2016 - Forum software by © MyBB