On Sun, Aug 7, 2011 at 10:03 PM, Donovan Brooke <lists@xxxxxxx> wrote: > alekto wrote: > >> Hi, >> I have implemented a "remember" me feature in my login-script, but I can't >> get it to function! >> > > > If I might be so bold... then you haven't implemented the feature yet, > right? ;-) > > > > I want to make it possible for the users to stay logged in for 30 days. >> This is what I got this far: >> > > > You have a logic problem... If I were you, I would write it out more > simplistically first... something like: > > if session cookie > keep logged in > else, if remember me > if verifiable > set session cookie and redirect > > Of course, that is not an example of exact logic to use, and is just a > method example of how you can solve your problem. As others have suggested, > I would first start reading about ob_start,ob_end_clean(which > works well before a header redirect), and ob_end_flush. > > I agree about only needing to store the user ID in your cookie's (session > and rememberme) (hashed perhaps), and not the password. > > My last comment would be a kind request to strip out all unnecessary html > etc.. when posting questions to the list. I usually would not take the time > to look through a mess like that. ;-) > > Donovan > > -- > D Brooke > > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > I'm going to play the third side of this thread and ask if anyone other than me sees any clear security issues with code like that, even if username and password were taken out of the cookie, and it was hashed in the DB, there is still a security issue with thinking this way which in today's world should not be an overlooked practice. And i mean i see that the person here is a newbie, the code looks pretty bad, but i think it's worth mentioning that looking at best security practices for the situation is as trivial as figuring out your classes and methods. Knowing how to prevent people like, well even me, from running sql scripts from your website via forms, or stealing user sessions is essential in today's web world... You're writing some client-facing code, maybe you should look at how to write it and keep the client secure? You could at least add session and request tokens to make the persistent sessions at least a bit more secure, that's of course on top of hashing passwords (with a salt), and not storing user names and passwords in the cookie. Also escaping doesn't work, if you don't believe me, listen to the keynote that Dan Kaminsky gave at the last HOPE conference, he gives a good overview of why... Please either use parameterized queries, or the awesome hack that is base 64, don't assume that just because the function is called mysql_real_escape_string, that it actually knows what it is doing; unicode is a powerful weapon in the wrong hands! Also use === for string comparison as 42 == "test"! ~Alex -- The trouble with programmers is that you can never tell what a programmer is doing until it’s too late. ~Seymour Cray
