how to create a secure php login system, allowing for “keep me logged in” functionality?
https://stackoverflow.com/questions/1929340
-
20-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I use a simple login system based on SESSION vars. Once the user logs in, a session var is set that tells my script the user is to be accepted in. I don't use any custom clientside cookie var.
I would like to offer the option on the login screen that says "keep me loggued in the whole day". How does one do that in a secure way?
Solution
First: Configure the session.cookie_lifetime directive, either in php.ini, configuration files, or via session_set_cookie_params().
Next, store the username and the hash value of the password in the session, and validate that login on every page. As long as it's still valid, they get to stay logged in.
The session cookie's natural expiration should generally keep things tidy, as you won't have anyone getting logged out in the middle of their session (if the stars aligned for it, of course) if they keep it active. Failing that, though, I'd consider eCartoth's solution a close second, as you could just add a second line to the if statement:
if (my_validate_user_function($_SESSION['username'],$_SESSION['passhash'])
&& $_SESSION['deathstamp'] > time()
) {
// user is logged in again, oh boy!
}
else {
// send in the death robots
header('Location: /login.php',true,302);
}
EDIT: One thing you might want to consider is session fixation and/or session hijacking. In order to prevent that, I'd recommend one (or both) of two solutions:
- store the user's IP address in the session
- use
session_regenerate_id()after every successful login attempt.
OTHER TIPS
When you say "keep me logged in the whole day", I'm assuming you mean on that specific machine only, correct? You could use a mysql table to remember 'time of login', or a timestamp of when that login will no longer be valid if they choose to keep themselves logged in all day. Then add some script to the beginning of your code that retrieves the id of that user from the session vars. Compare the current timestamp of that user against the stored 'last valid ts' and if it's past that time, you know they should be logged out, at which point you wipe the session and force the user to log in again. This method means they won't actually be logged out until they try and do something past that point, but it will seem like it to them. Also, rather than using a mysql DB you could also store that last valid TS in a session variable as well.
So for example when the user first logs in with "keep me logged in all day selected":
$_SESSION['log_me_out_at'] = strtotime(date("Y-m-d ")."23:59:59");
Then each time a page is accessed in your system:
if( $_SESSION['log_me_out_at'] < time() ){
unset($_SESSION['user_is_accepted_in']);
}
One option could be to set up a MySQL table that saves session variables and associates them with IP addresses and an expiration, but I'm not sure of all the details on how that would be implemented.
The simplest (though not recommended) way to do what you're looking for would be to set a $_COOKIE with the username and password on the computer, which your site will then check for when the user signs on.
For added security, you would be better served to save just one cookie as a salted MD5 hash of the user's data in order to provide a potential hacker less information about the user's account data. The duration can be set when you set the cookie; php.net has reasonably complete documentation on how to do that.
