stackoom
  简体   繁体   中英

Keeping users logged in without cookie

 原文  2011-11-28 10:32:53       php/ session/ cookies/ login

Question

I was wondering if there was any other way to keep users logged in when they revisit my website even though the session has expired.

I currently use a cookie based method, but I was wondering if there were other methods people are using.

3 answers

solution1
 4 ACCPTED  2011-11-28 10:35:25

不,cookie旁边没有[可靠]方法。

solution2
 2  2011-11-28 10:37:02

There are other methods, but you should refrain from using them because they in no way are as reliable as cookies.

  • You can use a IP based login system. If using this, you will see issues with multiple users from same IP.
  • You can generate a special link for users that is uniquely generated and make a login based on that

Instead of worrying about doing it another way, you should work on making your cookie-using system more secure.

solution3
 1  2014-09-20 20:40:05

This is a very old question, but for the sake of future visitors, I would like to supply an answer.

You SHOULD use cookies. Like the other answers have noted, they are the most reliable method out there. If you want to make sure the user isn't visiting with an expired cookie, write the time at which it expires as a cookie with a checksum.

Here's an example using PHP: 

$expireTime = time() + (60*60*24*3); // 3 days ( 60 seconds * 60 minutes * 24 hours * 3 days )
$rawPepper = openssl_random_pseudo_bytes(16);
$hexPepper = bin2hex($rawPepper);
setCookie($cookieKey, $cookieValue, $expireTime);
setCookie("expiresWhen", $expireTime, $expireTime);
setCookie("rand", $hexPepper, $expireTime);
$hash_1 =  hash('sha512', "Your_Super_Secret_Salt" . $cookieValue . "Another_Super_Secret_Salt!" . $expireTime);
$hash_2 = hash('sha512', "Yet_Another_Salt!" . $hash_1. $hexPepper);
setCookie("checksum", $hash_2, $expireTime);

Then in your other PHP form for validation you say: 

$expires = $_COOKIE['expiresWhen'];
$pepper = $_COOKIE['rand'];
$cookieVal = $_COOKIE[$cookieKey];
$givenCheckSum = $_COOKIE['checksum'];

$hash_1 = hash('sha512', "Your_Super_Secret_Salt" . $cookieVal . "Another_Super_Secret_Salt!" . $expires);
$correctCheckSum = hash('sha512', "Yet_Another_Salt!" . $hash_1. $pepper)

if($givenCheckSum != $correctCheckSum){
      /* user's cookie has expired. Handle as you please */
}else{
     /* Cookie is still valid */
}

Anyone care to make corrections to this or supply suggestions?

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Keeping a user logged in with a cookie Keeping users logged in Keeping track of logged in users in PHP Best practices in keeping users logged in in Unity Session/cookie users getting periodically logged out Is it a good idea to use a combination of cookies and sessions for keeping users logged in Keeping users logged in when session quit with cookies and Wordpress? Keeping track of users with PHP session id, cookie + database Keeping track of online users and the pages (without mysql?) Cookies not keeping account logged in
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM