On 01/04/2008, Eric Marden <[EMAIL PROTECTED]> wrote:
> There are two parts of the process:
>
> 1) Setting the cookie
> 2) Logging in via the cookie
>
> For a similar feature in my ZF App, I just used the normal php
> setcookie() function. My cookie contains the user's username, and a
> properly salted hash of the password. To create the hash, I used a
> function similar to this:
>
> md5(md5('password'.'secret_salt'))
Actually it's a not a good idea to do md5 sum on md5 hash, this
deceases security. The outer md5 operates on a string with constant
length and that's bad.
>
> Your passwords should be stored in the db using the same hash format.
>
> And while not 100% secure, most brute force and rainbow table attacks
> can be thwarted because the salt used, which should be a random sequence
> of charcters that only you and the other developer's know, should be
> enough from keeping unwanted users from cracking the password. Also,
> because cookies are hard to spoof, since they can only be read by the
> domain that set them, it should be reasonably secure for most
> applications (if you are working on a banking app, or something else
> that is highly sensative, than you shouldn't be adding this feature, and
> should consider more secure 2-factor authentication schemes or even a
> client certificate, etc).
>
> You will then need to modify your login code to support logging in from
> the cookie. I use the same function in my User model for both, but have
> a paramater that tells the function 'how' it should operate... In other
> words, am I getting a password that is hashed or in plain text. It
> should also have a feature to set the cookie, if the remember me box was
> checked.
>
> You'll still need something that kicks off the auto-login via cookie. I
> put mine in the same function that gets called to check if the user
> session is valid. Personally I only call this function when a page is
> requested that requires a logged in user. If you want the site to
> recognize the user right away - regardless of where / when the user
> entered the site, you could put it in your init() function or somewhere
> else convenient. This part is kind of up to you, as it will shape the
> user experience.
>
> Hope this gets you started.
>
>
>
> --
> Eric Marden
> Sr. PHP Developer
>
>
> -----Original Message-----
> From: darren [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, April 01, 2008 11:20 AM
> To: [email protected]
> Subject: [fw-general] best practice for "Remember Me"
>
> Newbie Alert:
>
> I would like to create a way for users to stay logged in for extended
> periods of time (like 2 to 12 weeks) as you might expect with a
> "Remember Me" checkbox. I have a decent amount of experience with PHP,
> but not too much either ZF or with sessions and cookies. I thought I
> could just use the rememberMe() method with Zend_Session.
> But, that seems to only work for smaller time intervals because I can
> only effectively set it for a couple of seconds to a few minutes.
> Setting it to anything like hours seems to make it default to about 20
> minutes or so. I'm thinking Zend_HTTP_Cookies with Zend_Auth might be
> the ticket.
>
> I can (and have been) read the documentation on each module. But, I
> don't quite grasp the idea of how they should be glued together to
> achieve what I want to do. And, for the life of me, I can't find an
> example anywhere.
>
> So, could someone steer me in the right direction? Maybe an example or
> tutorial somewhere? Or, if someone could just tell which
> classes/modules I should be using, I could probably run with that.
>
> Thanks,
> Darren
>
--
Regards,
Martin Martinov
