1

I'm having a little thought about how making a good login procedure.

What I'm trying to achieve is that there'll be a login page with a check box of Remember me. About the security issues, I'm well aware off, and how to make it secured, after reading those good posts:

The definitive guide to form-based website authentication

https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence

Now, if the check box of Remember me is remained unchecked, I don't want it to create a cookie with a token, and of course I won't save anything in the database.

BUT, if it's unchecked what should I do next? How do I validate properly & securely that the user is logged in?

I'm using CodeIgniter framework, and it has the ability to store the session in the database, in ci_session table for example, automatically and validate by those session keys.

So my thought was to store a new field named login_key in the users database which will contain a login_key hashed that'll also be in the session itself including the 'user_id' of the user. BUT, in second thought, what will happen if multiple devices will try to login the same user? It'll just disconnect the first device that got connected. And I want to be able to login to the same user from multiple devices.

What's the best way it can be achieved? Another table in the database of login_keys or there's way to integrate it somehow with the ci_sessions table?

Thanks!

Community
  • 1
  • 1
NeoTrix
  • 124
  • 7
  • Create a `remember_token` table, with a `user_id` field. If the user checks the checkbox, create a token in your table, and set a cookie with that hash. If the users come back to your site, you can check if the cookie exits , and has a valid, not expired token for it in your db. You can store multiple tokens in this table, so multiple devices can be saved. When the user logs out, simply delete the cookie and the token, and then delete the session. – Iamzozo Oct 05 '15 at 14:50
  • @Iamzozo, hi, well as already explained I don't have any problems with the 'remember me' logic and procedure. Less understand how I can securely store & validate later the session itself when I don't use the 'remember me' check box. Thanks for the reply anyway ;) – NeoTrix Oct 05 '15 at 17:40
  • You just need to use [PHP sessions](https://paragonie.com/blog/2015/04/fast-track-safe-and-secure-php-sessions). Basically, `session_start()` then use the `$_SESSION` array for authenticating the user for only this session. – Scott Arciszewski Oct 08 '15 at 19:04

0 Answers0