Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

PHP: Remember Me and security?

Tags:

security

php

cookies

remember-me

During the time I've spent taking breaks from learning how PHP supports Unicode I've been delving into making my "Remember Me" cookies a bit more secure. However there are a few things I don't understand and a few of my own musings I'd like some suggestions and opinions on.

1) Is there any method to adopting a "Remember Me" feature that doesn't involve cookies? Curious since there are obvious security flaws in storing authentication cookies. Not that there aren't security risks in just about everything.

2) Since I'm not working with a bank or "highly sensitive" information, is it necessary to require users to enter their passwords for the more "high profile" areas? It seems that remembering a login would be a waste if we're just going to ask them to essentially log in anyway two minutes later.

3) What's the absolute best method for storing an authentication cookie (aside from "not at all")? I have currently coded that area to set a single token in the cookie (hashed using time(), their user agent, remote_addr, and a salt - sha256). When said user comes back it checks the 'sessions' table for the token, then matches IP to IP to log them in. If the token is there but the IP doesn't match it silently unsets the cookie and asks them to log in as if they didn't have one.

Thanks again everyone.

like image 637
Zydeco Avatar asked Jan 20 '11 04:01

Zydeco

People also ask

How do I add remember me to my login page?

Just before the body closing tag (</body>) add the following line of code. In the login form, we will have two input fields (username and password), one checkbox (remember me) and a submit button.

1 Answers

  1. Essentially, no. It requires some sort of storage on the client side; you have no way to know who a client is without a cookie (or similar, like HTML 5 client-side storage).

  2. That is a trade-off you must decide. Minimum, the old password or some other form of confirmation (e-mail?) should be required to change it to a new one.

  3. You can't absolutely protect against cookie theft and subsequent impersonation unless you encrypt all the communications. That's the only secure method. Sure, associating an IP, user-agent etc. to the cookie might be helpful, but it's easier and much more secure to rely on encryption. (I misunderstood the point here -- what's important in the value of the cookie is that it's random, so you ought to change your generational method to be less predictable)

like image 126
Artefacto Avatar answered Sep 20 '22 13:09

Artefacto
Sign in to Comment

Related questions

Collecting multiple data and send by ajax in laravel
CORS Headers are altered in the browser resulting in content becoming blocked
Order of PHP class extensions in a single file
Zend Framework Routing: .html extension
Possible PDOException Errors (MySQL 5)?
What is the name of your system with PHP_OS constant
Zend Framework ORM-style table data gateway vs. extending Zend_Db_Table_Abstract
Creating mock Objects in PHP unit
How to show a comparison of 2 html text blocks
PHP array with default value for nonexisting indices
Symfony difference between <ModelName>.class.php and <ModelName>Table.class.php
PHP Send email with PDF attachment without creating the file?
PHP crypt and salt - more clarification please
PHP: Singleton vs Static Class [duplicate]
Ajax chat - only update if there's a change
Custom hooks in WordPress across plugins
Should controllers in MVC web applications be unit-testable?
Integrate a Zend application into Drupal 6 / 7
How do I apply URL normalization rules in PHP?
Using GD in PHP, how can I make a transparent PNG watermark on PNG and GIF files ? (JPG files work fine)

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!