I've always hated this area of coding PHP pages. I have a project that I have worked on for a while and I currently create two cookies, one that stores the User Id and one that stores the MD5 password. Before you laugh, my site has nothing remotely important and doesn't have that much traffic. It's barely an afterthought.

However, even I can see that this is a terrible idea. What do big programs (Facebook, PHPBB, Joomla) save on the user's hard drive in a cookie for the Remember Me feature?

Do you guys have any good suggestions? I'm going to redo this part of the site and hopefully make it working in a manner that is best practice.

Thanks PHP Builder!

    If you have nothing "remotely important" to protect on your website, why not just generate a hash (digital signature) for each one of your users (which would at least make it hard to guess.) Your users have given valid credentials for getting the cookie in the first place.

    If you are worried about replaying a cookie by a malicious user, you could always generate a new cookie with every page load based on an algorithm that either stores the cookie hash (in a database) or creates a new hash in some manner that can be predicted for that user with each subsequent page load (user salt + date hash, etc.)

      laserlight;10940189 wrote:

      Are you using sessions?

      Yes I am using sessions.

        Then why not just store the session id in the cookie? The session management system already allows you to do this.

          laserlight;10940227 wrote:

          Then why not just store the session id in the cookie? The session management system already allows you to do this.

          That sounds good to me. Is that secure though? This subject is very interesting to me and I was wondering how the big websites handle this. I think storing the session will be good enough for me, but now I want to understand the correct way to do this if I were ever to design a site with important information.

            SID, session_id is a very long unique striong.
            So it is very difficult to guess and good security.
            Example, 32 chars:

            http://www.example.com/file.php?SID=43b4a19d1962304012a7531fb2bc50dd
              halojoy;10940236 wrote:

              SID, session_id is a very long unique striong.
              So it is very difficult to guess and good security.
              Example, 32 chars:

              http://www.example.com/file.php?SID=43b4a19d1962304012a7531fb2bc50dd

              Cool. One final question: Is a Remember Me cookie always compromised if someone has physical access to your computer?

                Two things...

                A remember me cookie IS compromised if the person has physical access to your machine. This is why many sites employee password checking to change account information (even if you are logged in.)

                Two. Sessions ARE NOT the same as a remember me cookie. What good is your session id in a cookie if PHP garbage collection has deleted your session due to timeout?

                  bretticus;10940264 wrote:

                  Two. Sessions ARE NOT the same as a remember me cookie. What good is your session id in a cookie if PHP garbage collection has deleted your session due to timeout?

                  True, but you can either make the session last longer like a month or a year. Or, you can keep a field in the database with unique constraint, try to insert the SID there, and if it fails, create some other string.

                    Write a Reply...