Welcome Guest, Not a member yet? Register   Sign In
Session Tempdata vs Cookie for "Remember me" login (CI3)
#1

(This post was last modified: 09-04-2016, 06:16 PM by Joel Catantan.)

Hi guys! Just wanna ask if it is good to use Session Tempdata to store the userdata upon login when they wanted to remember by the system. I am using cookie for the whole time since it is recommended by so many developers.

Well, basically, the procedure was to store the userdata in cookie and must set the expiration time (e.g 30days). CI 3 had introduce its new feature to set the session as "Tempdata" with a specific expiration time. Same concept with the cookie I think.

Is it recommended as it is or is it a good practice? What do you think guys?
[Just a programmer] Cool [/Just a programmer]
Reply
#2

No, session tempdata is not to serve such a purpose.

"Remember me" feature can be implemented by using cookies and database records. It has to be secure enough in the public section of the site.

I would recommend this feature to be disabled in the administration panel. Also, I would recommend your authentication system to detect automatic logins and to ask for true login when a user is going to perform very critical operations - ordering, payments, etc.

I think, the following information is valuable:
http://fishbowl.pastiche.org/2004/01/19/..._practice/
http://jaspan.com/improved_persistent_lo...t_practice

Sample code, old, probably needs revision and adaptation:
http://jenssegers.be/blog/12/codeigniter...ibrary-1-3
https://github.com/jenssegers/codeignite...on-library
Reply
#3

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply
#4

@InsiteFX

Very interesting reading, thank you.
Reply
#5

(09-04-2016, 08:23 PM)ivantcholakov Wrote: No, session tempdata is not to serve such a purpose.

"Remember me" feature can be implemented by using cookies and database records. It has to be secure enough in the public section of the site.

I would recommend this feature to be disabled in the administration panel. Also, I would recommend your authentication system to detect automatic logins and to ask for true login when a user is going to perform very critical operations - ordering, payments, etc.

I think, the following information is valuable:
http://fishbowl.pastiche.org/2004/01/19/..._practice/
http://jaspan.com/improved_persistent_lo...t_practice

Sample code, old, probably needs revision and adaptation:
http://jenssegers.be/blog/12/codeigniter...ibrary-1-3
https://github.com/jenssegers/codeignite...on-library


(09-05-2016, 04:34 AM)InsiteFX Wrote: Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)


Awesome links! Thanks guys. These are a good reading.



"I would recommend this feature to be disabled in the administration panel"

@ivantcholakov, I don't think so if I gonna do that. Lets face the reality that there are so many lazy users that just wanted to remember when login. If I remove such feature, many users asking for this and I don't want to make an effort of telling to each everyone of them. There is a way to secure some confidential transaction like payment. You may implement PIN code that only user have known. For auto login, it is important for the system to have Audit Trail (or System Trail - or whatever you called for that) to tract all sudden transactions including the login and logout.



CHEERS guys!
[Just a programmer] Cool [/Just a programmer]
Reply
#6

(09-05-2016, 05:50 PM)Joel Catantan Wrote: @ivantcholakov, I don't think so if I gonna do that. Lets face the reality that there are so many lazy users that just wanted to remember when login. If I remove such feature, many users asking for this and I don't want to make an effort of telling to each everyone of them. There is a way to secure some confidential transaction like payment. You may implement PIN code that only user have known. For auto login, it is important for the system to have Audit Trail (or System Trail - or whatever you called for that) to tract all sudden transactions including the login and logout.

You might be surprised. Most browsers now have minimal built-in password managers/form auto-fill functionality, so if the browser can recognize your login form, most users aren't going to notice the lack of an auto-login/remember me feature. On my current site, which has been running CodeIgniter for about 4 years, I've had one complaint about this feature, and that complaint was that it wasn't working as the user expected. Since it wasn't possible to make it work as the user expected and still have some degree of security, I disabled it completely, and haven't had a single complaint about the feature being missing.
Reply




Theme © iAndrew 2016 - Forum software by © MyBB