J
J
JackShcherbakov2018-02-05 23:20:09
PHP
JackShcherbakov, 2018-02-05 23:20:09

Is the approach to remembering the user on the site through cookies correct?

Hello! The site implemented the functionality of remembering the user. The algorithm is as follows:
If the "remember me" checkbox is pressed, and if the login and password are correct, then:
1. Save the login and password with the set cookie function, having previously hashed the password with the passwordhash function
2. On subsequent requests, the password from the cookie will be checked with the password from the database the password-verify function.
How correct is this? Is it possible to do so?
Thanks in advance!

Answer the question

In order to leave comments, you need to log in

2 answer(s)
X
xmoonlight, 2018-02-05
@xmoonlight

The token is stored in a browser cookie based on device and credentials.
token is just one hash, it is stored in the database for the client device.
The link is this: UserID (login + pass) -> client (device) -> token
So that one user can log in with one password on different devices and see where his sessions are currently logged in.
If the token is stolen and used on another device, it will no longer be valid.
Login and password - are needed only when logging into the account, or when the token is empty or not valid. First, you need to check a pair of login and password, and if authorization is successful, generate a new token.

I
ipokos, 2018-02-05
@ipokos

Is it possible to do so?

No.
Credentials, results of checks, validations are stored in the session.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question