Geek Answers Handbook

Memory Basics

I am using a PHP / MySQL login system. I would like to add to it remember. What is the basic mechanics to remember-me? Does this include adding a new column to a table in MySQL, where all user information is stored, etc.?

Thanks in advance,

John

+4
source share
3 answers

There are several different methods for this. The secure method should be to add a field to the mysql user table and have a remember_me hash, which is just a random hash.

The hash should be stored in a cookie on the user's computer, as well as the user ID for checking how long the storage period lasts (you should also indicate the period to remember me in the database as a time stamp, as well as for added security). When they pull up your site, you see if this cookie iset, if so then you simply authenticate the hash for userid. If he checks, they are considered registered. If it is not confirmed, send them to the page with the signature / they are not logged in.

This is how I set up most of my sites. The pain is that if they log in from another computer, now they are no longer checked on the computer that they used, and he will have to re-authenticate. But security, for me, is more important than the need to re-enter the system because of this situation.

EDIT: See Comments below for more information on sessions / security.

+3
source

Do I need to add a new column to a table in MySQL, where all user information is stored, etc.?

Not necessary. Remember Me works by storing in a cookie either the user's basic credentials (his username and password, usually), or temporary credentials that expire after a while. If you use these temporary surrogate credentials, which are usually long random strings, you should add a table to your database where you store them, the username associated with them, and the time they expire.

You almost certainly don't want these credentials sent over an unencrypted connection. You must store them in secure cookies, i.e. cookies that are sent only via HTTPS (you must also set cookies through an unencrypted connection).

If you decide to use a secure cookie, but do not want to encrypt all traffic, you can use two cookies:

  • An insecure cookie that only signals the server that you have a secure cookie with credentials.
  • A secure cookie with the credentials themselves.

Then, when a user visits your site and is not logged in, you check for an insecure cookie. If it exists, you are redirecting the user to the HTTPS page. Because it is secure, a secure cookie with user credentials is sent by the client. Then proceed to checking the contents of the cookie with the user stored in the database and logging in.

+2
source

When someone logs in with the β€œremember me” setting, generate an identifier and save it in a cookie.

When someone visits the page of your site, find the cookie. If they are, find it in your database, where it should be mapped to the user ID. Then just run all the login functions, just as if they had entered the correct username and password.

0
source

More articles:


All Articles