Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
V
V
Vitali2011-08-14 12:20:15
CodeIgniter
Vitali, 2011-08-14 12:20:15

Implementation of the "Remember me" functionality?

I'm scratching my head over the implementation of the "Remember me" functionality. So far, I have agreed that every time a user visits the site with the “Remember me” checkbox, a new randomly generated token is written to the database. The user_id and token are written to the cookie in encrypted form.
In the decrypted form, the cookie looks like this,
1-dfbb8bd5b577615c95cd2c2qc3fad362<br/>
where 1 is the user id and through a dash, respectively, the token itself.
In encrypted form, the cookie looks something like this:

BjMHKQe0vNPBuLBNVXw3xJAOdnIK1OlS3bGrjB3O1gl2H1gqOZ4k7yPT3VPEUke7J%2BbzHDzUMCuF%2FWeLVBsM7Q%3D%3D-t20GNsMOkstr6HD3W%2FKlb56%2FZj9cuinwYrk8QTvFxK5Z8d2jM8ntLv1WxnfagirzgQSxqDsEHj1HaBXIYXeBbQ%3D%3D

Upon entry, the cookie is decrypted and checked if the token from the cookie matches the token in the database, the entry occurs.
And everything seems to be working, but I am oppressed by the thought that if the cookie is stolen, the attacker will have full access to the account.
How else can you protect yourself?

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

5 answer(s)
Report
D
David Mzareulyan, 2014-01-27
@david_mz

The topic is old, but in case someone else comes here, there is such an option for working with authorization cookies: david-m.livejournal.com/1267236.html

Report
T
TheHorse, 2011-08-14
@TheHorse

You can simply specify expires for a couple of years ahead with a checkmark.

Report
X
xaker1, 2011-08-14
@xaker1

I implemented not much easier. Cookie "remember me" - a cookie is thrown in which md5 gluing id + md5 (passwd) + ip
+ another cookie with a login.
If there is such a cookie, we take the corresponding user data from the database, check the gluing, and if it is true, we authorize it. Changed ip - remember me does not work.
For greater reliability, you can also write data about the browser in the gluing.

Report
V
VenomBlood, 2011-08-14
@VenomBlood

Doesn't get full access. Indeed, to change the e-mail / login / password - you need to enter the current password, and there is a cookie - no cookies - it does not matter.

Report
F
FedLab, 2011-08-14
@FedLab

as an option - binding to IP (or part of it in extreme cases)
as an option, to form a token taking into account "HTTP_USER_AGENT"

Similar questions
M
Max Kuznetsov2011-02-11 22:11:20
[Solved] CodeIgniter and ajax-post request 6Reply
A
adam_carraway2018-02-22 23:14:09
How to display data from the database using ajax in codeigniter? 1Reply
A
AndrewPif2015-10-24 21:14:01
codeigniter session? 0Reply
M
Mikkirurk2015-11-18 16:55:10
CodeIgniter. How to change the address of a page with administered content? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question