Hello and welcome to our community! Is this your first visit?
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 3 of 3
  1. #1
    Regular Coder sonny's Avatar
    Join Date
    Apr 2008
    United States
    Thanked 0 Times in 0 Posts

    form cookie option


    I would like to offer a cookie option on a login form to stay
    logged in when they come back, I currently just use a session
    after the validation. works fine but deletes when they close the

    How would I offer a cookie option, should I pass a post value like
    cookie=1 etc and then do a if condition after validation based on

    can someone give advice on the best method to do something like


  2. #2
    Regular Coder patryk's Avatar
    Join Date
    Oct 2012
    Thanked 64 Times in 64 Posts
    i would prolly store hashed password in cookie and and then if that cookie exists and contains propper hash, i would log them in automatically.
    just give them option to do it and use some thing better than md5 (crypt should do the trick if you won't store salt in cookie)

    actually even if you would store just usename's hash without the salt and kept salt safe on server, that should be relatively safe. as long as client don't know salt, it's almost impossible to fake hash
    Last edited by patryk; 04-19-2013 at 02:08 AM.

    "Real Programmers can write assembly code in any language" - Larry Wall

  3. #3
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Denver, Colorado USA
    Thanked 506 Times in 494 Posts
    You would add a 'remember me' checkbox to your login form. At the point in your login code where the user has successfully logged in, you would test if your 'remember me' checkbox form field has been checked.

    You would then generate a unique token to store in the remember me cookie and also store this in your user table (you would need to add a column specifically to hold the token value.)

    You should not generate the value you store in the cookie from any of the user information because that value will be static for any user and if someone gets a hold of that value they will be able to use it to login until the original user value it is generated from is changed. Would you want to require your users to change their password or username or to regenerate a new salt string just to stop someone who has gotten a hold of someone else's 'remember me' cookie value?

    By generating a unique token, that is not a fixed value for any user, it can be regenerated at any time and you make it harder for the bad guys. Also, by generating it and storing it in a field in the database table, you can clear it in that table when someone logs out or to disable a value where it is know that the value has been gotten a hold of by someone else.

    You would change your 'page protection' logic so that if the 'logged in session' value is not set, you get the user's id using the 'remember me' cookie value and set the logged in session value the same as if the user had just successful logged in.
    Finding out HOW to do something is called research, i.e. keep searching until you find the answer. After you attempt to do something and cannot solve a problem with it yourself, would be when you ask others for help.


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts