I'm having a little thought about how making a good login procedure.
What I'm trying to achieve is that there'll be a login page with a check box of Remember me
. About the security issues, I'm well aware off, and how to make it secured, after reading those good posts:
The definitive guide to form-based website authentication
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence
Now, if the check box of Remember me
is remained unchecked, I don't want it to create a cookie with a token, and of course I won't save anything in the database.
BUT, if it's unchecked what should I do next? How do I validate properly & securely that the user is logged in?
I'm using CodeIgniter framework
, and it has the ability to store the session in the database, in ci_session
table for example, automatically and validate by those session keys.
So my thought was to store a new field named login_key
in the users
database which will contain a login_key
hashed that'll also be in the session itself including the 'user_id' of the user.
BUT, in second thought, what will happen if multiple devices will try to login the same user? It'll just disconnect the first device that got connected.
And I want to be able to login to the same user from multiple devices.
What's the best way it can be achieved? Another table in the database of login_keys
or there's way to integrate it somehow with the ci_sessions
table?
Thanks!