Nice!! Justin French
on 18/02/03 12:54 PM, Jason Sheets ([EMAIL PROTECTED]) wrote: > You shouldn't store user password in cookies on a browser, instead a > more secure method for the user is: > > On your login form offer the ability to be remembered, if they click the > "Remember Me" box generate a unique random ID (or 2 and combine them), > now store this ID in your database attached to their user account and > set a cookie on their browser with this ID. Now when they come to your > website if they are not logged in your website checks for this unique id > in the cookie, if the cookie exists it references it against their user > account, if the unique id matches the system logs them in. This method > is also nice because you can invalidate all automatic logins by clearing > the column in your database. > > Please note the unique ID will still be sent in the clear so someone > sniffing the traffic could still pick it up, if you force them to login > once every n days it can help reduce this, also prompt for the password > for any critical events like changing their profile. > > If you pass this over SSL you make it more secure because the traffic is > encrypted. > > Jason > On Mon, 2003-02-17 at 17:55, Justin French wrote: >> on 18/02/03 1:40 AM, Altug Sahin ([EMAIL PROTECTED]) wrote: >> >>> Hi there, >>> >>> I have setup a site with session management but even the browser is closed >>> or after the default time expiration of the session, the user should be able >>> to see his/her personalized settings. I am nor using any cookies. >>> >>> How can I make this happen without changing my session related code? Should >>> I combine cookies with sessions or can I make my sessions never expire even >>> the browser is closed? >> >> Sessions are just that -- a single session, so no, a session cannot live >> forever. However a cookie can. You *could* set a cookie with the users uid >> and pwd, and check for the cookie before asking the user to login, but >> obviously there are some vulnerabilities to this, so it should be an OPTION >> for users, rather than FORCED upon them... they should also be aware of the >> risks. >> >> One of many risks is the fact that if they're on a shared computer (library, >> net cafe, work, school), others will" >> >> a) be able to see their password and username by viewing the cookie >> >> b) be able to login as the user to your site, and possibly many others using >> those credentials >> >> >> >> Justin >> >> >> -- >> PHP General Mailing List (http://www.php.net/) >> To unsubscribe, visit: http://www.php.net/unsub.php > > --- > [This E-mail scanned for viruses] > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
