stay logged in function php
Question
I am making a php page that allows the user to stay logged in and I am checking the users current IP against one stored in a sql table.
I store the user id in the cookie not the ip.
What other checks should I be doing? As I don't think right now the IP is enough.
4 answers
solution1
2 2012-12-01 21:34:18
It depends on cookies to make users stay logged in your application or website. The user's IP may be changed so it is not applicable to get this feature. It is just writing cookie and then reading it on login.
solution2
0 2012-12-01 21:40:21
You might want to store user details in sessions. Cookies are relatively unsafe and could be used for privilege escalation.
solution3
0 2015-06-15 15:53:15
A hashed session cookie is good for keeping a user logged in. That's because the cookie stays on the user's computer, and allows it to access session data. Hashing it adds a layer of security.
A user's IP address isn't so good as either a cookie or a session variable. For one thing, it can change (as in a smartphone moving from one tower's range to another). For another, it can be shared (as in multiple users riding on the same wireless router). Finally, IP addresses can be spoofed.
Sessions, on the other hand, will only last as long as the browser is open (subject to session timeouts set on the server side). In this case, the session establishes one session cookie that allows the browser to point to session data on the server.
Session data is much more secure, since that one session cookie is all that's resident on the user's machine for the duration of the browser session. That way you can store more sensitive data (user name, personally identifiable info, or account data) on the server.
The only way to access session data is through that user's one single session cookie, which is normally a very long string of random characters. Hashing it makes it very difficult to unscramble.
solution4
0 2019-05-09 09:10:38
IP can change so it is not a good idea to use IP for "stay logged in". The best way is using API keys in cookies. This way allows users to login even when they change their IPs (like when they are connected to proxies). See the question bellow: "Keep Me Logged In" - the best approach
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.