[cgiapp] Safe way to remember user login?

Steve Comrie steve at octane.to
Tue Jan 13 15:04:56 EST 2009 

The way I've accomplished this is by adding something like an md5key 
column to the users database.

When someone checks the "remember me" button you can generate a key 
based on something like, their username / password / the current date + 
some salt (or whatever you like).

Then store that key in the database table and pass a copy back to the 
user as a cookie with a expiration of 1 week (or however long you'd like).

Now, of course if someone gets a hold of that cookie information they 
will be able to log in. So for a little added security you might want to 
setup a second field in the user database beside the md5key field that 
contains a valid until date.

That way, when you check the cookie md5key vs the database md5key, you 
check first that they match (if not you have a problem right off the 
bat). If they do match and the current date is not passed the md5key 
expiry date then you let the person into the system, otherwise, kick 
them back to the login screen.

---
Steve Comrie

Lyle wrote:
> Hi All,
>  I know a lot of sites have a check box for "remember me" or what not. 
> But I'm trying to figure out a safe way to do this. Saving the 
> username and password in cookies wouldn't be secure, so I guess some 
> kind of cookie ID. But then once you display the login form you'd be 
> writing out the password into the <input type=password value=XXXX>, 
> which isn't secure either as someone could view source and grab it.
>
> I'm guessing this kind of thing has come up for a lot of people on 
> this list, care to share a solution?
>
>
> Lyle
>
>
> #####  CGI::Application community mailing list  ################
> ##                                                            ##
> ##  To unsubscribe, or change your message delivery options,  ##
> ##  visit:  http://lists.openlib.org/mailman/listinfo/cgiapp    ##
> ##                                                            ##
> ##  Web archive:   http://lists.openlib.org/pipermail/cgiapp/   ##
> ##  Wiki:          http://cgiapp.erlbaum.net/                 ##
> ##                                                            ##
> ################################################################

More information about the cgiapp mailing list