Well,
In the past, when the client connects to the site I kept it as $_SESSION.
Now, I want to make the possibility of "Remember Me" with a cookie.
For security reasons, what should I put the value of the cookie?
Thanks.
Asked
Active
Viewed 370 times
1 Answers
1
Short-term user authentication typically employs sessions, while long-term authentication relies on a long-lived cookie being stored on the user's browser. Users typically experience this feature as a checkbox labelled, "Remember me on this computer." Implementing a Remember Me feature without building a trivially exploitable backdoor requires a minor engineering feat.
Naive Solution: Just Store User Credentials in a Cookie
Any solution for long-term authentication that looks like remember_user=1337 is wide open for abuse. Since administrator accounts typically have low User IDs, remember_user=1 will almost certainly log you into a privileged user account.
Persistent Authentication Tokens
Another common strategy, much less susceptible to attack, is to just generate a unique token when a user checks the "Remember Me" box, store the unique token in a cookie, and have a database table that associates tokens with each user's account. There are a number of things that could still go wrong here, but it is unquestionably an improvement over the previous strategy.
For a deeper understanding, I strongly recommend this Implementing Secure User Authentication in PHP Applications with Long-Term Persistence
DirtyBit
- 16,613
- 4
- 34
- 55