I have a login system in place for my website, the details of the user which are stored in the database are userid(unique for every user and identifier), email address(unique), display name(not unique), password and membersince.
Now what should I store in the cookies? I was thinking about storing just the userid in the cookie with an expiration date and then if the user revisits my website after signing up check for the cookie and log him in( which kind of doesn't look right to me) and destroy the cookie if he decides to log out.
*A little explanation would also be very helpful. Thanks
Asked
Active
Viewed 3,296 times
12
halocursed
- 2,351
- 5
- 25
- 34
-
Seems like you already have answered the question yourself, store the userid. – TechTravelThink Dec 07 '09 at 07:47
-
1This is not secure - see answers below. – Jon Sep 28 '10 at 13:11
4 Answers
13
You can only ever store the userid in a cookie if you sign it with a secret key that only your applications knows. Otherwise it's possible for the user to change the cookie to anything and login as somebody else. So, if you want to store the userid, store also a hash of the user id with the secret key (ideally using HMAC) and when you want to log them in, calculate the same hash and compare it to the hash from the cookie. Another solution is to generate a random token, store it in the database and use that in the cookie. If it's long and random enough, there is very little chance somebody would guess another person's token.
Lukáš Lalinský
- 38,094
- 6
- 90
- 114
-
Thank you!. But what do you mean "user id with the secret key". If I am a bad guy and I steel the whole cookie, and get this hash string to pretend I am the user logged in, can the server know I am the wrong person? – JaskeyLam Nov 19 '14 at 11:09
-
The point of the secret key is to make sure you can't "login" as any user you want just by setting the cookie. Without knowing the secret key, you have no way to construct the cookie. If you steel the whole cookie for an existing user, you can of course login as that user. There are a few ways you can do to prevent that: 1) make the cookie expire after some time (encode timestamp into the cookie), 2) make the cookie specific to a certain IP address (again, encode the IP address in the cookie), 3) make it specific to a certain user-agent string (this can be easily faked though) – Lukáš Lalinský Nov 19 '14 at 18:39
-
http://stackoverflow.com/a/477578/2224584 - There's actually a little bit more to it than that. See also: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2 – Scott Arciszewski Jun 09 '15 at 22:05
1
PHP has built-in session management that does exactly what you're looking for:
http://us.php.net/manual/en/book.session.php
I wouldn't recommend storing the user_id in the cookie. Instead, you can generate a unique token and associate the token with users in your database, and check & regenerate the token on each request. Again, this is a bit redundant, because session management is already built into PHP.
leepowers
- 35,484
- 22
- 93
- 127
0
PHP' $_SESSION does this for you. You can even write your own session class if you like full control.
A small tutorial is found here: http://www.tizag.com/phpT/phpsessions.php
Here is a small example to use mysql to store sessions instead of php default (files in /tmp): http://www.hawkee.com/snippet/2018/
jonaz
- 2,767
- 2
- 15
- 19
-2
Simply add the cookie expires to 2 days or the number of days you want to remember the user and save the cookie.
Hemanshu Bhojak
- 15,934
- 15
- 46
- 60