Auto User detection

arafin

Hello

I need the solution of the following problem :

I have a registration form. A User can be a member by this site. A user will use his/her username and password to login. “Remember me” option will be there for user to select during login (feature that will allow users to use the system without inserting the login information again).

PLEASE help me soon. Thanks in advance.

dream_scape

Here is one approach:

add a column to the user's db table to hold a "key", called "cookieKey" or something.
when a user logs in with that option, create a random string. This becomes the "key".
run the "key" through your password hashing algorithm. This becomes your "hashed key."
Save the "hashed key" to the "cookieKey" column and set the "key" into a cookie.
When a user is not logged in, check for the cookie holding the "key". If it exists, then check that it is valid (match it against the "hashed key" in the database basically the same way you check a password is valid). If it is valid, then automatically log them in.

Basically you are creating a 2nd random password for the user, and storing it in a cookie.

This will work well for basic sites, communities, etc. Sites needing more security, like eCommerce sites, the way I go about it is the same, except auto-logged in customers only have access to areas that don't contain sensitive information, and still must provide their password for "validation" to gain access to more secure areas. Basically a 2 level authentication.

arafin

Thnks for the approach. But I have fail to understand the step 3. Can you explain(Password Hashing Algorithm)

arafin

Thanks for the approach. But I have failed to understand the step 3. Can you explain(Password Hashing Algorithm) ?

MarkR

You don't really need it. If you can create a sufficiently unguessable value without hashing, use that.

There is a PHP function uniqid which generates supposedly unique IDs. The PHP uniqid page explains it more.

Normally I cause this value to be changed every time the user changes their password, or an admin makes any account modification (including locking, unlocking etc). This ensures that nobody can access the account without the new password.

Mark

Megahertza

heres a example dude of hashing.

$hash = md5($key)

then you insert $hash into the cookiekey column.

This what md5 does to a string

echo md5("HELLO")."<br />";
echo md5("HELLO1");

outputs

eb61eead90e3b899c6bcbe27ac581660
cbaf229714f868ed2d729c2f1697365b

You see its quite random and very secure. all you have to do is md5("A random string") and insert that into "cookiekey" column