"Remember Me" - security question

SeenGee

Hi all,

I was wondering what thoughts/ideas people had on the issue of having a "remember me" type function with a login script for a site.

here is the code i use currently, would appreciate some analysis as to potenital flaws, security holes etc.

if($_COOKIE['mySiteUser']) # use cookie to make login persistent
{ 
	if(!$_SESSION['mySiteCustomer']['userID']) # user not logged in then check their cookie
	{
		$uservals = unserialize($_COOKIE['mySiteUser']);
		if($uservals['userIP'] == $_SERVER['REMOTE_ADDR'] && $uservals['userAgent'] == $_SERVER['HTTP_USER_AGENT']) # make sure they are logging in from same IP address and not hijacking cookie
		{
			$sql = "SELECT `c_id` FROM `customers` WHERE `c_email` = '".mysql_real_escape_string($uservals['userEmail'])."' AND `c_password` = '".mysql_real_escape_string($uservals['userPass'])."'";
			$dosql = mysql_query($sql)or die(mysql_error());
			if(mysql_num_rows($dosql)==1)
			{
				$_SESSION['mySiteCustomer']['userID'] = mysql_result($dosql,0);
			}
		}
	}
}

major flaw i know is the issue of someone else using the computer with the stored details but surely that is impossible to prevent without forcing another login.

Thanks.

dougal85

What information is stored in the cookie? Just the user name/id?

You need to remember that people can change cookies on there system. (you can do it easily with a FireFox plug in). So if that's all your storing then I could just change a cookie to another id or username and be somebody else.

I usually store a hash of the username and a hash of the password. However, if security is a big issue I'd even avoid it for that case as somebody could attempt to decode the password.

Are you processing the the email and password before putting it in the query? you need to be aware of sql injection hacks.