Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Development & Programming Example of Remember Me Function?
Example of Remember Me Function?
  • El Forum
    Unregistered
  •  
#4
07-19-2010, 10:28 AM

[eluser]WanWizard[/eluser]
Note that whatever you do with the content of the cookie, it is a security risk.
If I can obtain this cookie, I can use it to craft my own cookie and use it as login credential to gain access to your account.

If you want this feature, it is a lot easier and safer to extend the lifespan of the session cookie, and just use the regular way of authenticating page requests, via the session_id and the user data that is stored server side in the session table. To login and out, do not destroy the session, but simply delete the user information from the session when the user logs out.

BTW, this is more secure because by default the session library validates user agent and IP as well, and rotates the session_id every 300 seconds. This means that the session hijacking window is limited between PC's that share the same user agent and IP, and it has to be done within 300 seconds max. There is no user data stored in the cookie (encrypted or not).


Messages In This Thread
Example of Remember Me Function? - by El Forum - 07-19-2010, 09:50 AM
Example of Remember Me Function? - by El Forum - 07-19-2010, 10:14 AM
Example of Remember Me Function? - by El Forum - 07-19-2010, 10:24 AM
Example of Remember Me Function? - by El Forum - 07-19-2010, 10:28 AM
Example of Remember Me Function? - by El Forum - 08-04-2010, 11:01 PM
Example of Remember Me Function? - by El Forum - 08-05-2010, 12:36 AM



Theme © iAndrew 2016 - Forum software by © MyBB