Best aproach to store Remember Me data |
I'm using Paragon Initiative approach for this: Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
Only a selector and token are saved, not a userid. That's only available in the database. The automatic login algorithm looks something like: 1. Separate selector from validator. 2. Grab the row in auth_tokens for the given selector. If none is found, abort. 3. Hash the validator provided by the user's cookie with SHA-256. 4. Compare the SHA-256 hash we generated with the hash stored in the database, using hash_equals(). 5. If step 4 passes, associate the current session with the appropriate user ID. Q1. Re-use the selector and only update the token. Or both if you want. You will get the ID if step 4 match. Q2. Not possible, if you are using the right functions. |
Messages In This Thread |
Best aproach to store Remember Me data - by glorsh66 - 12-18-2017, 09:33 AM
RE: Best aproach to store Remember Me data - by jreklund - 12-18-2017, 11:51 AM
RE: Best aproach to store Remember Me data - by glorsh66 - 12-19-2017, 02:41 AM
RE: Best aproach to store Remember Me data - by InsiteFX - 12-19-2017, 03:45 AM
RE: Best aproach to store Remember Me data - by jreklund - 12-19-2017, 08:56 AM
RE: Best aproach to store Remember Me data - by glorsh66 - 12-20-2017, 04:43 AM
|