Is what I have set up and it is working is a cookie that saves someones username if they check the "Remember Me" box. If the cookie is set it then starts the necessary session and stays active for 30 days. Are there any pitfalls to this that you can see? Are there any additional security measures I should take? As far as passwords are concerned you must have access to the user's specific email address in order to obtain that information, but then again I think that is the only way to relay password information at all, it isn't visibly available in a non MD5 form anywhere on the site. What else should I be worried about as far as security is concerned with Sessions and Cookies? "Richard Lynch" <ceo@xxxxxxxxx> wrote in message news:1388.66.99.91.45.1102097739.squirrel@xxxxxxxxxxxxxxxx > Brad Brevet wrote: > > Hey all, I have a log-in all set up on my site using PHP Sessions but I > > want > > to add the Remember Me function, but I don't know what to set in the > > cookie > > to make it that way. Please help. :) > > You have several options. > > One is to do the http://php.net/session_start, and then, if they asked to > be remembered, to do another http://php.net/setcookie with the > http://php.net/session_name, http://php.net/session_id, time() + > 60*60*24*365*2, '/' as arguments. Don't go over 2 years, as browsers are > not required to support that. Kinda overkill anyway, as who is going to > wait two years to login and expect to be remembered? > > Another option would be to set cookies with their username and password in > them, and to not ask them to login if those cookies are there. But that's > risky in that you are storing their password in their cookies, which > anybody else with physical access to their computer can not only get into > your site, but can get their password in clear-text, and, most likely, > they've used that password elsewhere, so now they can break into all that > user's accounts all over the place. So this is not a *GOOD* option, even > if it's technically possible. > > Another possibility is to create an http://php.net/md5 hash of a random > http://php.net/microtime number and store *that* in their cookies much > like the first option -- and store that same md5 hash with their username > in a new table in your database. The only real difference between this > and the first option is separating out your "remember me" cookie from the > built-in PHP Session ID. Pros and cons either way. > > -- > Like Music? > http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
