Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

OpenID sign in mechanism - Stay signed in

Tags:

php

cookies

openid

I'm developing a website in PHP and I'm trying to use OpenID for log-in mechanism. I want a behaviour similar to StackOverflow's. By that, I mean whenever I open stackoverflow, I'm already signed in. I found two related questions on StackOverflow:

OpenId + remember me / staying logged in

Sign in with Twitter, and stay signed in (PHP)

I understand that I should sign in the user and if this is his/her first time, I should sign up the user and set a cookie in his/her system. However what I want to know is what should I store in the cookie? Username/password combination? That seems like a security issue. And the other question is where should I check for the cookie? I would appreciate a simple tutorial/code sample. Thank you.

like image 549
Alireza Noori Avatar asked Feb 23 '23 03:02

Alireza Noori

1 Answers

This is basic web app session management with cookies and OpenID doesn't make a difference here at first.

No, absolutely do not store the username and password in the cookie. Cookies act as "bearer tokens", meaning whoever has the cookie gets in. The best thing to store in a cookie is an unguessable and arbitrary key that you can use to look up real information in a table in your application. So, the user shows up with a cookie of "myappsession" and a value of "234871nb341adf" tied to your domain. Your app would then look up the value of "234871nb341adf" in a local data store and see if it's tied to a valid user. You'd be best served to also check how long ago that user was there and whatnot. If it's a valid session and it's within your time and usage limits, the user is logged in automatically.

For extra paranoia from the RP side, you can make use of the checkid_immediate mode of OpenID to make a background call to see if the user is still logged in to their IdP. If they're not, then you at least know which provider to try to send them to for re-validation and can provide a better user experience.

If you want your site to be really secure, you should do all of your sessions over HTTPS and tag your cookies as both "Secure" and "HTTPOnly", which is documented on the setcookie function manual page: http://php.net/manual/en/function.setcookie.php

like image 171
jricher Avatar answered Mar 07 '23 22:03

jricher
Sign in to Comment

Related questions

How to lazy load items from mysql db like facebook and twitter (infinite scrolling)
How do you EXPLODE CSV line with a comma in value?
how to check a value of simplexml object
PHP Regex match word or group of words in all capital letters
Integration of R Language with php to take the result from R
Codeigniter upload image - The upload path does not appear to be valid
Converting Resolutions to Aspect Ratios with PHP
Parsing XML with PHP?
PHP multidimensional array algorithm?
Protecting a web contact form from spam without PHP?
How to set auth variable in zend framework
Sanitizing when storing serialized array
Kohana database config settings for ORM
I am trying to split/explode/preg_split a string but I want to keep the delimiter
Is this a safe use of Session Variables?
Handling JSON with Java [-Jackson-]. Cannot deserialize
How to scrape iframe content using cURL
What's the correct way to test if a variable is a number in PHP?
Should I use "| at now" or ampersand (&) to run the script in background?
remove html tags

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!