Re: Making a remember me function using php and mysql
Quote:
Originally Posted by
timebomb
VibeTribe: You should be checking the user's Remember Me status only if they are logged out. If everything passes, you should log them in without them being none the wiser that they were initially logged out.
how many times again, this is what i said. -.-
if u check for cookies if the check of session fails, its already in logged out status.
btw, its fine to store a salted md5 hashed password, if its a strong salt.
@s-p-n thx for such infos, but i have nothing to do with php anymore, but the point i dislike is, to keep sessions on the server for non active users for everytime. and if u restart your webservice (no matter wath service u use, like apache or IIS, u get the problem every user must login manually again, i rather use the
"check session, then check cookies and write session if successful" procedure.
Re: Making a remember me function using php and mysql
Quote:
Originally Posted by
VibeTribe
how many times again, this is what i said. -.-
if u check for cookies if the check of session fails, its already in logged out status.
btw, its fine to store a salted md5 hashed password, if its a strong salt.
@s-p-n thx for such infos, but i have nothing to do with php anymore, but the point i dislike is, to keep sessions on the server for non active users for everytime. and if u restart your webservice (no matter wath service u use, like apache or IIS, u get the problem every user must login manually again, i rather use the
"check session, then check cookies and write session if successful" procedure.
You don't check the remember me cookie if the session data fails, you check for the remember me cookie if no login data in the session exists.
Storing a hash in a cookie is pointless as you can't decrypt the hash from the server, which is what you'd need to do if you store the password in a cookie.
In regards to what s-p-n said, you can use a custom session save manager to, for example, save sessions to file(which is done by default), a key/value store, a database, or whatever else you may choose. Thus you wouldn't have to use cookies and the session data, i.e. including the remember me data, could potentially still be there thanks to the custom session save manager. This is more secure than using cookies.
Re: Making a remember me function using php and mysql
Quote:
Originally Posted by
timebomb
You don't check the remember me cookie if the session data fails, you check for the remember me cookie if no login data in the session exists.
Storing a hash in a cookie is pointless as you can't decrypt the hash from the server, which is what you'd need to do if you store the password in a cookie.
In regards to what s-p-n said, you can use a custom session save manager to, for example, save sessions to file(which is done by default), a key/value store, a database, or whatever else you may choose. Thus you wouldn't have to use cookies and the session data, i.e. including the remember me data, could potentially still be there thanks to the custom session save manager. This is more secure than using cookies.
i didnt say "exists" i said "check" ("found" and "correct"), this includes existing and validating ofc.
also i never said to store a hash in a cookie lol.
however, thx for pointing out the session manager.
