0

I want to create a login form on my site. And if user log in, I want him to 1.stay logged in while he stay at my site 2. stay logged in after closing browser and restarting computer.

What technologies can I use? I'm writing site using PHP 5.2. Thanx!

ajreal
  • 46,720
  • 11
  • 89
  • 119

2 Answers2

3

The basic idea behind a login form is verifying the credentials when the person logs in and setting a cookie to remember the credentials when a new page is loaded.

You can check out the setcookie method (http://us.php.net/setcookie) to learn how to set a cookie.

You could also look into sessions (http://us.php.net/manual/en/function.session-start.php) which is a way to store data server-side for a specific user.

The following article will give you a better idea of how to write a login form: http://www.devshed.com/c/a/PHP/Creating-a-Secure-PHP-Login-Script/

Edit: As John pointed out, there are many security concerns when adding a login to your page. You should be aware that cookies can be hijacked and sessions can be stolen.

A few tricks to prevent this:

  • Make sure there is no way for people to inject JavaScript into your page. For instance: http://ha.ckers.org/xss.html
  • You should use HTTPS connections on pages that require login as this will prevent cookie stealing over unprotected connections.
  • You might want to invalidate a cookie if the origine IP has changed in case a cookie is ever stolen.

Hope this helps,

  • Christian
Christian Joudrey
  • 3,441
  • 25
  • 25
  • I'd like to see this answer updated with the security ramifications of using this functionality like hijacking cookies, etc. – John Conde Nov 27 '10 at 15:24
  • You should use https connections on *all* pages; the cookie can still be stolen easily after the initial login if you switch back to http. See http://codebutler.github.com/firesheep/ for an example firefox extension to do just that. – El Yobo Nov 28 '10 at 05:53
  • Also, you should store the absolute minimum in cookies; nothing related to security. So *don't* use setcookie as suggested by the OP; use the session approach instead, and only a unique session identifier will be stored in a cookie. – El Yobo Nov 28 '10 at 05:54
  • You then need to focus on protecting the cookie; set the httponly flag, ensure that session IDs are *only* transferred via cookies (not via URL), ensure that session cookies are *only* transferred over https, use session_regenerate_id() when a user is authenticated to prevent session fixation attacks. – El Yobo Nov 28 '10 at 05:58
  • You can also add some simple session hijacking detection by storing some of the request headers (like the HTTP_USER_AGENT and possibly the IP address) with the original request into the session. Compare all future requests with the original ones (or a hash of them) and if they don't match, require the user to reauthenticate. – El Yobo Nov 28 '10 at 05:59
-1

Sessions stay as long as the web browser is on. When it's closed, the session is terminated.

Cookies, on the other hand, stay as long as you tell them to.

You can read about these at http://www.php.net or http://www.tizag.com:

Sessions: http://www.tizag.com/phpT/phpsessions.php

Cookies: http://www.tizag.com/phpT/phpcookies.php

Crembo
  • 5,198
  • 3
  • 26
  • 30
  • Sorry, but you're just flat out wrong. Sessions are terminated after a specified timeout on the server, or if explicitly terminated on the server. If the client deletes the session cookie they may lose their reference to the session, which _sometimes_ happens (depending on settings) when the browser is closed, but even then the session is still live on the server, it's just the reference which is lost. – El Yobo Nov 28 '10 at 05:56
  • Well that's what it says in tizag.com, I guess they're wrong or just outdated then... – Crembo Nov 30 '10 at 05:44