Welcome Guest, Not a member yet? Register   Sign In
Secure remember me function?
#8

[eluser]a&w[/eluser]
This thread is a little old but I'll post anyway.

Chris Shiflett has a book "Essential PHP Security" where he gives suggestions on how to persist logins, if you must. The rough throws of it is:

that you store 3 more fields in your user database: identifier, token, and timeout.

the identifier is an ecrypted hash of the username and salt:
Code:
$identifier = md5( $salt . md5 ($username . $salt) );

the token
Code:
$token = md5 uniqid(rand(), true) );

store the cookie with a value of $identifier:$token

The timeout stored in database should not exceed 7 days.

Every time the user logs in regenerate the token/identifier in the database and cookie so that particular cookie can only be used the one time.


Messages In This Thread
Secure remember me function? - by El Forum - 11-02-2008, 05:59 AM
Secure remember me function? - by El Forum - 11-03-2008, 12:16 PM
Secure remember me function? - by El Forum - 11-03-2008, 12:23 PM
Secure remember me function? - by El Forum - 11-03-2008, 12:59 PM
Secure remember me function? - by El Forum - 11-03-2008, 01:04 PM
Secure remember me function? - by El Forum - 11-03-2008, 01:22 PM
Secure remember me function? - by El Forum - 11-03-2008, 01:28 PM
Secure remember me function? - by El Forum - 01-10-2009, 07:10 PM



Theme © iAndrew 2016 - Forum software by © MyBB