Answer the question
In order to leave comments, you need to log in
Implementing the correct "remember me" option and ending sessions remotely?
I would like to ask more experienced people how to create a login / registration in php with the option to remember the password. I always just write the user ID to the session (its ID in the database) and always just build queries on this very ID to select the necessary information. How safe is it? Can a client change a session and how can it be protected from it? And about the session remembering option, how to do it safely? Can encrypt id + time? I would like to know the best option. And I also always liked that sessions can be closed remotely (as is done in telegram). In fact, these are just saved keys in the database? But what if the session on the client just disappears? Thanks in advance for your reply
Answer the question
In order to leave comments, you need to log in
You can make tokens as suggested by FanatPHP , but there is another way:
Store sessions in the database and work with sessions through the database. Then, when deleting from the session database, the user logs out.
You can also view these materials: State: Cookies and sessions. and Authentication Methods . You will learn a lot for yourself and answer your own questions.
You generate a token from random_bytes() (well, or UUID) and put it in cookies and in the database.
Accordingly, you get a token from the cookie and find the user in the database.
If you need to log out, then you generate a new token.
Whether to use the session in this case is a matter of taste, and, in general, a secondary one. May or may not be used
How safe is it?Nifiga is not safe at all, you can stupidly sort through all "try to steer". Such a big hole. Well, until they noticed - everything is OK, but someone will definitely notice, 148%.
And about the session remembering option, how to do it safely?Already written, in principle, the point is not to store any explicitly binding data such as a login or ID as a key, but to generate a random hash / key that is stored on the client and on the server.
And I also always liked that sessions can be closed remotely (as is done in telegram).I didn’t understand what it was about, is it remotely from the toilet when the computer is in the room? or from the secret center of the secret government to turn off the client session and the Internet? What is it all about?
But what if the session on the client just disappears?The session (suddenly) cannot disappear on the client, because it never happens there, there is only a session cookie - the key to the session, which (session) is on the server, so the question in this formulation does not make sense.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question