Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Using CodeIgniter General Help Best aproach to store Remember Me data
Best aproach to store Remember Me data
  • Offline jreklund
    Administrator
  • *******
  • Posts: 1,408
    Threads: 3
    Joined: Aug 2017
    Reputation: 42
#5
12-19-2017, 08:56 AM
(This post was last modified: 12-19-2017, 09:00 AM by jreklund.)

Am i right - that selector - is just an unique ID (and we must use selector to add a little bit secrecy about amount of users)
selector are a unique ID that get's randomized so that your software don't suffer for a timing attack. And how many users are logged in.

Code:
CREATE TABLE `auth` (
 `id` int(11) UNSIGNED NOT NULL,
 `selector` char(12) COLLATE utf8mb4_unicode_520_ci NOT NULL,
 `token` char(128) COLLATE utf8mb4_unicode_520_ci NOT NULL,
 `userid` int(10) UNSIGNED NOT NULL,
 `expires` datetime NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_520_ci;
ALTER TABLE `auth`
 ADD PRIMARY KEY (`id`),
 ADD KEY `selector` (`selector`);

how to generate selector to exclude potential hash collision?
Use one of the functions inside the article. If they do collide (12 chars) it's not likely that a random 64 chars will collide too. So the users will be kicked out. If you are paranoid, you will need to query the database.

My main question is - do i need to generate a new selector and hashedValidator, each time a user logs in and add a new entry in database.
Each time a user clicks "Remember me" and open your site after they have closed the browser/sessions have been deleted by CI/server.
Sure there are people who never closes their browser, but I keep mine static and the server have always timed out before 14 days (cookie).

So i mean if the same user logs in using different browsers - in cookies he will get a different cookies (that have different selector and hashedValidator)
Yes, he will get a different selector and token.

do i need to make only one entry for user (in firefox and chrome user will get the same values in selector and hashedValidator cookies)
Different

Maybe you can get a few hints from my code. It's not tailored for CI, but it's using Paragonie examples.
https://github.com/jreklund/php4dvd/blob...ss.php#L73
https://github.com/jreklund/php4dvd/blob...nc.php#L19

And here are the official version from them:
https://github.com/psecio/gatekeeper/blo...mberMe.php
Reply


Messages In This Thread
RE: Best aproach to store Remember Me data - by jreklund - 12-19-2017, 08:56 AM



Theme © iAndrew 2016 - Forum software by © MyBB