Answer the question
In order to leave comments, you need to log in
How secure is the implementation of user remembering?
I'm trying to implement a password remembering function in php. Suppose, when logging in, the server generates a token and sends it to the browser through cookies. Now, on subsequent visits, I compare the token from the cookie and from the database.
There is a small chance that the site will recognize some attacker as another user, because the attacker can change the token from the cookie as many times as he wants.
Answer the question
In order to leave comments, you need to log in
The required parameter is called "cryptographic strength".
Most of the self-made solutions "from letters and numbers" do not have such durability .
Just as uuid v4 does not have it either.
At the moment, the recommended solution is to use the random_bytes() function.
Next, the token is written to the database and to the user's cookies.
$token = bin2hex(random_bytes(24));
well, it means you need to give not id but uuid v4 (this is an example, you can use any other random, the more the better), and store id in a table on the server side, and you can also make a separate binding to ip / useragent or the time of the last request (for example ip (or range) may change within a day or two, the useragent version will increase by 1, otherwise the session with this id is invalid)
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question