stay logged in function php

Question

I am making a php page that allows the user to stay logged in and I am checking the users current IP against one stored in a sql table.

I store the user id in the cookie not the ip.

What other checks should I be doing? As I don't think right now the IP is enough.

You definitely should not be matching their IP for a user to "remain" logged in. — Prash, Dec 01 '12 at 21:25
I suggest you google for tutorials on simple php authentication... — sachleen, Dec 01 '12 at 21:26
@prash then what? saying i shouldn't use it is great but no suggestion? — NaughtySquid, Dec 01 '12 at 21:33

score 2 · Answer 1 · answered Dec 01 '12 at 21:34

2

It depends on cookies to make users stay logged in your application or website. The user's IP may be changed so it is not applicable to get this feature. It is just writing cookie and then reading it on login.

answered Dec 01 '12 at 21:34

SaidbakR

13,303
20
101
195

What is preferred to check instead of IP? User agent string maybe? – NaughtySquid Dec 01 '12 at 21:35
As an idea, it should be a hashing for a user property such as user_id or username and writing it in a cookie. when the user visit the application again and the application need the login it will check for and reading the cookie then compare the hash with the hash of username, if they are the same, the user set to be logined. – SaidbakR Dec 01 '12 at 21:45

score 0 · Answer 2 · answered Dec 01 '12 at 21:40

0

You might want to store user details in sessions. Cookies are relatively unsafe and could be used for privilege escalation.

answered Dec 01 '12 at 21:40

user1880717

3
1
3

Every major forum app i've seen does it by cookies? Are they wrong? – NaughtySquid Dec 01 '12 at 21:41

score 0 · Answer 3 · answered Jun 15 '15 at 15:53

A hashed session cookie is good for keeping a user logged in. That's because the cookie stays on the user's computer, and allows it to access session data. Hashing it adds a layer of security.

A user's IP address isn't so good as either a cookie or a session variable. For one thing, it can change (as in a smartphone moving from one tower's range to another). For another, it can be shared (as in multiple users riding on the same wireless router). Finally, IP addresses can be spoofed.

Sessions, on the other hand, will only last as long as the browser is open (subject to session timeouts set on the server side). In this case, the session establishes one session cookie that allows the browser to point to session data on the server.

Session data is much more secure, since that one session cookie is all that's resident on the user's machine for the duration of the browser session. That way you can store more sensitive data (user name, personally identifiable info, or account data) on the server.

The only way to access session data is through that user's one single session cookie, which is normally a very long string of random characters. Hashing it makes it very difficult to unscramble.

score 0 · Answer 4 · answered May 09 '19 at 09:10

IP can change so it is not a good idea to use IP for "stay logged in". The best way is using API keys in cookies. This way allows users to login even when they change their IPs (like when they are connected to proxies). See the question bellow: "Keep Me Logged In" - the best approach

stay logged in function php

4 Answers4