HomeBuilding Your WebsiteWeb Programming and Application Development

remember me login script

Busy posted this at 10:57 — 11th June 2004.

Busy's picture

He has: 6,151 posts

Joined: May 2001

Trying to make a secure 'remember me' login script.

The site I want to use it on doesn't use cookies, unless you count session cookie.

I can get it to work by encrypting true or false to a cookie if 'remember me' is set and one for user id and on the page check if remember me cookie value is set auto log in, else if session set already loged in else not logged in.

Problem is it doesn't appear to be very secure.

The next time a user comes to the page, if cookie is set it knows autologin is set, so check user id is legite. I can't really set/check ip value as most would be on proxy servers (i do log ip's but only for cheating reasons). Can't compare it to session data/cookie as that could/should be history, so what's left?

Been Googling for a while and heaps of mention of these scripts but nothing really on security

Suzanne posted this at 19:27 — 12th June 2004.

Suzanne's picture

She has: 5,507 posts

Joined: Feb 2000

Is there a reason you can't use a cookie? That's really the most common route.

Busy posted this at 22:42 — 12th June 2004.

Busy's picture

He has: 6,151 posts

Joined: May 2001

It's not that I don't want to use a cookie, just want to use a cookie in a secure way.

example; if I just put the users id and encrypted password into the cookie, who ever uses the cookie would always get a true result and be logged in to said account. Because NZ is mostly diapup uses their ip's changes all the time so comparing user id to ip would more often than not be false.

m3rajk posted this at 02:09 — 13th June 2004.

They have: 461 posts

Joined: Jul 2003

Busy wrote: It's not that I don't want to use a cookie, just want to use a cookie in a secure way.

in that case the quick answer is to talk to someone who has actually written a thesis in secure cookies.
at least i think he said it was a masters tehesis. i knwo he did write a paper on it.

go to the php develeoper's network.

look got nielsen (sp?).

sorry i cant be of more help.
had a major motherboard issue

POSIX. because a stable os that doesn't have memory leaks and isn't buggy is always good.

Suzanne posted this at 22:53 — 12th June 2004.

Suzanne's picture

She has: 5,507 posts

Joined: Feb 2000

Wouldn't that be their own problem? Not to minimize it, but if they choose to be "logged in" automatically, it's on their head, not yours if they do that in a public internet cafe?

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.