[PHP] session cookie that never expires
Hi there, I have setup a site with session management but even the browser is closed or after the default time expiration of the session, the user should be able to see his/her personalized settings. I am nor using any cookies. How can I make this happen without changing my session related code? Should I combine cookies with sessions or can I make my sessions never expire even the browser is closed? Thanks -Al -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session cookie that never expires
Making your session never expire is a bad idea, by doing this you are most likely going to be using the same session id forever which gives attackers a much longer amount of time to guess or brute force a session id AND you will continue to use hard drive space and inodes on your server because gc will never clean them up. Also that means that anyone on any of these computers will be able to access the user's information whether they really are that user or not. Rather than making the session last forever you should force your users to login and then load their session information, if you are putting information into sessions that needs to be persistent between sessions you should either store it in files or in a database and then load it when you need it. Jason On Mon, 2003-02-17 at 07:40, Altug Sahin wrote: Hi there, I have setup a site with session management but even the browser is closed or after the default time expiration of the session, the user should be able to see his/her personalized settings. I am nor using any cookies. How can I make this happen without changing my session related code? Should I combine cookies with sessions or can I make my sessions never expire even the browser is closed? Thanks -Al -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session cookie that never expires
on 18/02/03 1:40 AM, Altug Sahin ([EMAIL PROTECTED]) wrote: Hi there, I have setup a site with session management but even the browser is closed or after the default time expiration of the session, the user should be able to see his/her personalized settings. I am nor using any cookies. How can I make this happen without changing my session related code? Should I combine cookies with sessions or can I make my sessions never expire even the browser is closed? Sessions are just that -- a single session, so no, a session cannot live forever. However a cookie can. You *could* set a cookie with the users uid and pwd, and check for the cookie before asking the user to login, but obviously there are some vulnerabilities to this, so it should be an OPTION for users, rather than FORCED upon them... they should also be aware of the risks. One of many risks is the fact that if they're on a shared computer (library, net cafe, work, school), others will a) be able to see their password and username by viewing the cookie b) be able to login as the user to your site, and possibly many others using those credentials Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session cookie that never expires
You shouldn't store user password in cookies on a browser, instead a more secure method for the user is: On your login form offer the ability to be remembered, if they click the Remember Me box generate a unique random ID (or 2 and combine them), now store this ID in your database attached to their user account and set a cookie on their browser with this ID. Now when they come to your website if they are not logged in your website checks for this unique id in the cookie, if the cookie exists it references it against their user account, if the unique id matches the system logs them in. This method is also nice because you can invalidate all automatic logins by clearing the column in your database. Please note the unique ID will still be sent in the clear so someone sniffing the traffic could still pick it up, if you force them to login once every n days it can help reduce this, also prompt for the password for any critical events like changing their profile. If you pass this over SSL you make it more secure because the traffic is encrypted. Jason On Mon, 2003-02-17 at 17:55, Justin French wrote: on 18/02/03 1:40 AM, Altug Sahin ([EMAIL PROTECTED]) wrote: Hi there, I have setup a site with session management but even the browser is closed or after the default time expiration of the session, the user should be able to see his/her personalized settings. I am nor using any cookies. How can I make this happen without changing my session related code? Should I combine cookies with sessions or can I make my sessions never expire even the browser is closed? Sessions are just that -- a single session, so no, a session cannot live forever. However a cookie can. You *could* set a cookie with the users uid and pwd, and check for the cookie before asking the user to login, but obviously there are some vulnerabilities to this, so it should be an OPTION for users, rather than FORCED upon them... they should also be aware of the risks. One of many risks is the fact that if they're on a shared computer (library, net cafe, work, school), others will a) be able to see their password and username by viewing the cookie b) be able to login as the user to your site, and possibly many others using those credentials Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] session cookie that never expires
Nice!! Justin French on 18/02/03 12:54 PM, Jason Sheets ([EMAIL PROTECTED]) wrote: You shouldn't store user password in cookies on a browser, instead a more secure method for the user is: On your login form offer the ability to be remembered, if they click the Remember Me box generate a unique random ID (or 2 and combine them), now store this ID in your database attached to their user account and set a cookie on their browser with this ID. Now when they come to your website if they are not logged in your website checks for this unique id in the cookie, if the cookie exists it references it against their user account, if the unique id matches the system logs them in. This method is also nice because you can invalidate all automatic logins by clearing the column in your database. Please note the unique ID will still be sent in the clear so someone sniffing the traffic could still pick it up, if you force them to login once every n days it can help reduce this, also prompt for the password for any critical events like changing their profile. If you pass this over SSL you make it more secure because the traffic is encrypted. Jason On Mon, 2003-02-17 at 17:55, Justin French wrote: on 18/02/03 1:40 AM, Altug Sahin ([EMAIL PROTECTED]) wrote: Hi there, I have setup a site with session management but even the browser is closed or after the default time expiration of the session, the user should be able to see his/her personalized settings. I am nor using any cookies. How can I make this happen without changing my session related code? Should I combine cookies with sessions or can I make my sessions never expire even the browser is closed? Sessions are just that -- a single session, so no, a session cannot live forever. However a cookie can. You *could* set a cookie with the users uid and pwd, and check for the cookie before asking the user to login, but obviously there are some vulnerabilities to this, so it should be an OPTION for users, rather than FORCED upon them... they should also be aware of the risks. One of many risks is the fact that if they're on a shared computer (library, net cafe, work, school), others will a) be able to see their password and username by viewing the cookie b) be able to login as the user to your site, and possibly many others using those credentials Justin -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php --- [This E-mail scanned for viruses] -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
