Welcome Guest, Not a member yet? Register   Sign In
Cookie Login
#1

[eluser]BoogieK[/eluser]
Hy,

I want to create a login form in CI with a "Remember me" field but the cookie is not saved. I load the library in the autoload file, after I`m doing all the verifications I`m setting the cookie but it is saved just like a session. My browser has the cookies enabled, I`m using the set_cookie() function but with no success. Can anybody help me with a example or something else?
#2

[eluser]devbro[/eluser]
each cookie has several meta data attached to it. use firefox and use the "add-n-edit cookie" to see those details:
https://addons.mozilla.org/en-US/firefox/addon/573

if your info in cookie is saved just like a session then I suspect that you forgot to set the expiry date on the cookie correctly.
#3

[eluser]BoogieK[/eluser]
Thanks for help. It wasn`t from the expire date. In fact, it was my attention for setting cookies. Anyway, I solved the problem and I created a library for the authentification section of the site. In fact the library has some hooks functionality but I will improve it in a few minutes. Thanks again.
#4

[eluser]darkhouse[/eluser]
BoogieK, what are you storing in the cookie? Security is obviously an issue, so I'm curious what the best method to achieve this is.
#5

[eluser]BoogieK[/eluser]
Well, meanwhile I realised that there are some problems with the login. I was trying to create a hook but the problem is that in the hook I need to load the cookie helper and if I load the cookie helper there are errors in that file. So I`m thinking how to do it.

In the cookie I`m storing an id for the site and a unique key for every user. When the user logs in and checks the 'remember me' field I make the login routine verifications, then insert in database the id and the site key and at every visit I`m looking for the cookie in my database and at the user.
#6

[eluser]BoogieK[/eluser]
So, is anyone who can help me with a secure cookie login, remeber password form, please?
#7

[eluser]devbro[/eluser]
for doing this you need a seperate table in your db call it session_remember. it has 4 fields in it:
1. the username
2. the cookie value associated with the remember me
3. the last time the cookie was used
4. extra information, such as IP, browser info


first 2 fields are easy. if the cookie exists but there is no session then repopulate the session.

use the 3rd field to remove extra cookies from db in case of in-activity

the 4th field is the most important. it will be used to track users, if a cookie pops up in two different places on the internet then you need to look into it. if it is two different browser then you got an stolen cookie. if the IPs belong to two different ORGANIZATION/COUNTRIES then you better drop that cookie asap.

if you want to allow only ONE login per account then add these fields to your user table. and use the session_id as your cookie value. on every request you have to validate the cookie and if the session does not match then you got a multi login in your hand.




Theme © iAndrew 2016 - Forum software by © MyBB