On Sun, Aug 7, 2011 at 10:03 PM, Donovan Brooke <li...@euca.us> wrote:

> alekto wrote:
>> Hi,
>> I have implemented a "remember" me feature in my login-script, but I can't
>> get it to function!
> If I might be so bold... then you haven't implemented the feature yet,
> right? ;-)
>  I want to make it possible for the users to stay logged in for 30 days.
>> This is what I got this far:
> You have a logic problem... If I were you, I would write it out more
> simplistically first... something like:
> if session cookie
>  keep logged in
> else, if remember me
>  if verifiable
>    set session cookie and redirect
> Of course, that is not an example of exact logic to use, and is just a
> method example of how you can solve your problem. As others have suggested,
> I would first start reading about ob_start,ob_end_clean(which
> works well before a header redirect), and ob_end_flush.
> I agree about only needing to store the user ID in your cookie's (session
> and rememberme) (hashed perhaps), and not the password.
> My last comment would be a kind request to strip out all unnecessary html
> etc.. when posting questions to the list. I usually would not take the time
> to look through a mess like that. ;-)
> Donovan
> --
> D Brooke
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
I'm going to play the third side of this thread and ask if anyone other than
me sees any clear security issues with code like that, even if username and
password were taken out of the cookie, and it was hashed in the DB, there is
still a security issue with thinking this way which in today's world should
not be an overlooked practice.

And i mean i see that the person here is a newbie, the code looks pretty
bad, but i think it's worth mentioning that looking at best security
practices for the situation is as trivial as figuring out your classes and
methods. Knowing how to prevent people like, well even me, from running sql
scripts from your website via forms, or stealing user sessions is essential
in today's web world...

You're writing some client-facing code, maybe you should look at how to
write it and keep the client secure? You could at least add session and
request tokens to make the persistent sessions at least a bit more secure,
that's of course on top of hashing passwords (with a salt), and not storing
user names and passwords in the cookie.

Also escaping doesn't work, if you don't believe me, listen to the keynote
that Dan Kaminsky gave at the last HOPE conference, he gives a good overview
of why... Please either use parameterized queries, or the awesome hack that
is base 64, don't assume that just because the function is called
mysql_real_escape_string, that it actually knows what it is doing; unicode
is a powerful weapon in the wrong hands!

Also use === for string comparison as 42 == "test"!

The trouble with programmers is that you can never tell what a programmer is
doing until it’s too late.  ~Seymour Cray

Reply via email to