473,327 Members | 1,976 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,327 software developers and data experts.

how to create 'remember login' functionality during login

Hi!
could anyone give me some clue that how to create 'remember login'
functionality during login
Thanks
Sukalyan

Oct 30 '07 #1
28 9060
On Oct 30, 4:24 am, jatrojoomla <jatrojoo...@gmail.comwrote:
Hi!
could anyone give me some clue that how to create 'remember login'
functionality during login
Thanks
Sukalyan
cookies

http://www.w3schools.com/php/php_cookies.asp

Oct 30 '07 #2
jatrojoomla wrote:
Hi!
could anyone give me some clue that how to create 'remember login'
functionality during login
Thanks
Sukalyan
You would use something along the lines of:
if($_POST['remember'])
{
set_cookie("username", $username, time()+3600, "/", "yourwebsite.com");
}

Obviously you'd want this done after all login credentials have been
checked.
Oct 30 '07 #3
dont use cookies. They are not secure and some people have cookies
turned off in their browsers. Use sessions instead.

Oct 30 '07 #4
"macca" <pt*******@googlemail.comwrote in message
news:11**********************@z9g2000hsf.googlegro ups.com...
dont use cookies. They are not secure and some people have cookies
turned off in their browsers. Use sessions instead.
Sessions are worthless for a "remember login" function.
Oct 30 '07 #5
On Tue, 30 Oct 2007 20:41:35 +0100, macca <pt*******@googlemail.comwrote:
dont use cookies. They are not secure and some people have cookies
turned off in their browsers. Use sessions instead.
Which is no use for a 'remember me' feature as the sessionid will have to
get to the script some way: either by GET query-string, POST value (both
of which aren't available on the next visit) or COOKIE value (which BTW is
the default for sessions). A cookie is the only way to implement this, and
for security reasons I always advise clients to forget about that feature.
--
Rik Wasmus
Oct 30 '07 #6
"Rik Wasmus" <lu************@hotmail.comwrote in message
news:op***************@metallium.lan...
Which is no use for a 'remember me' feature as the sessionid will have to
get to the script some way: either by GET query-string, POST value (both
of which aren't available on the next visit) or COOKIE value (which BTW is
the default for sessions). A cookie is the only way to implement this, and
for security reasons I always advise clients to forget about that feature.
That sentiment always reminds me of Tony Soparano.
In one episode, a bean-counter is working on the books while Tony plots some
scheme.
Mid-sentence, Tony stops and says "Hey, turn that thing off - that cookie
shit scares the hell out of me.".

Cookies won't hurt you.
Oct 30 '07 #7
..oO(macca)
>dont use cookies. They are not secure and some people have cookies
turned off in their browsers. Use sessions instead.
Sessions:

1) don't work here, as said
2) usually also use cookies (the SID can also be part of the URL, but
then it's even more insecure than the cookie)

Micha
Oct 30 '07 #8
"Michael Fesser" <ne*****@gmx.dewrote in message
news:tn********************************@4ax.com...
.oO(macca)
>>dont use cookies. They are not secure and some people have cookies
turned off in their browsers. Use sessions instead.

Sessions:

1) don't work here, as said
2) usually also use cookies (the SID can also be part of the URL, but
then it's even more insecure than the cookie)
That's like saying chicken is a dangerous meat - simply because it contains
live salmonela.
In fact - it's healthier and safer than other meats.

Handled well - cookies are safe, too.

It's totally OK to use cookies to remember site preferences - screen size,
number of columns, etc.
And even to re-greet a returning user.
But then, when they try to do anything secure - ask for login creds.

Zend.com seems to do it this way.


Oct 30 '07 #9
Op 2007-10-30 14:21:56 +0100, zei Chris Gorospe <ch***@ekast.com>:
You would use something along the lines of:
if($_POST['remember'])
{
set_cookie("username", $username, time()+3600, "/", "yourwebsite.com");
}

Obviously you'd want this done after all login credentials have been checked.
I would have lotsa fun with this feature if I wasn't a nice guy. Even
some standard browsers let you manipulate cookies. You should also
store a string to check the validity of the cookie and the last know ip
adress.

Example
$supersercret='mysectret';
$md5hash=md5($_SERVER[''REMOTE_ADDR].$username.$supersecret);
add this value to the cookie.

on every page check if the md5hash of the username, ip and supersecret
match the hd5hash in the cookie

Floortje

Oct 31 '07 #10
On Wed, 31 Oct 2007 21:30:58 +0100, Sanders Kaufman <bu***@kaufman.net
wrote:
"floortje" <no**@none.nonewrote in message
news:47***********************@news.wanadoo.nl...
>I would have lotsa fun with this feature if I wasn't a nice guy. Even
some
standard browsers let you manipulate cookies. You should also store a
string to check the validity of the cookie and the last know ip adress.

Example
$supersercret='mysectret';
$md5hash=md5($_SERVER[''REMOTE_ADDR].$username.$supersecret);
add this value to the cookie.

on every page check if the md5hash of the username, ip and supersecret
match the hd5hash in the cookie

I use a "loginCookieValue" (UUID) in the users database.
Every page-view gets a new one.
That way - even if a would-be hacker steals a "session" for one page, it
won't be good for the next.
Do you mean every arbitrary request will alter one and the same cookie, or
every single path gets its own? Both have some drawbacks, mostly race /
simultanious requests conditions (and a hacker gets a new one too) for the
first, people screaming they're 'logged out' when they haven't even logged
in, but just request a previously unvisited page for the latter. But maybe
I'm looking at it wrong. Could you elaborate?
--
Rik Wasmus
Oct 31 '07 #11
Op 2007-10-31 21:30:58 +0100, zei "Sanders Kaufman" <bu***@kaufman.net>:
> of the username, ip and supersecret
match the hd5hash in the cookie

I use a "loginCookieValue" (UUID) in the users database.
Every page-view gets a new one.
That way - even if a would-be hacker steals a "session" for one page, it
won't be good for the next.
Even better offcourse but i'd still check the ip.

Floortje

Oct 31 '07 #12
On Wed, 31 Oct 2007 21:56:57 +0100, floortje <no**@none.nonewrote:
Op 2007-10-31 21:30:58 +0100, zei "Sanders Kaufman" <bu***@kaufman.net>:
>> of the username, ip and supersecret
match the hd5hash in the cookie
I use a "loginCookieValue" (UUID) in the users database.
Every page-view gets a new one.
That way - even if a would-be hacker steals a "session" for one page, it
won't be good for the next.

Even better offcourse but i'd still check the ip.
Then you'll be quite miserable with for instance AOL users. Sometimes
those people seem to change IP (during a session I might add) due to their
proxy network I believe...
--
Rik Wasmus
Oct 31 '07 #13
Op 2007-10-31 22:04:09 +0100, zei "Rik Wasmus" <lu************@hotmail.com>:
On Wed, 31 Oct 2007 21:56:57 +0100, floortje <no**@none.nonewrote:
>Op 2007-10-31 21:30:58 +0100, zei "Sanders Kaufman" <bu***@kaufman.net>:
>>> of the username, ip and supersecret
match the hd5hash in the cookie
I use a "loginCookieValue" (UUID) in the users database.
Every page-view gets a new one.
That way - even if a would-be hacker steals a "session" for one page, it
won't be good for the next.

Even better offcourse but i'd still check the ip.

Then you'll be quite miserable with for instance AOL users. Sometimes
those people seem to change IP (during a session I might add) due to
their proxy network I believe...
AOL Proxy sends X-forwarded-for so there should be little trouble but
your point is still valid. I personally never had any complaints but
that sais little.

Floortje

Oct 31 '07 #14
..oO(floortje)
>Op 2007-10-31 22:04:09 +0100, zei "Rik Wasmus" <lu************@hotmail.com>:
>On Wed, 31 Oct 2007 21:56:57 +0100, floortje <no**@none.nonewrote:
>>Even better offcourse but i'd still check the ip.

Then you'll be quite miserable with for instance AOL users. Sometimes
those people seem to change IP (during a session I might add) due to
their proxy network I believe...

AOL Proxy sends X-forwarded-for so there should be little trouble but
your point is still valid. I personally never had any complaints but
that sais little.
Exactly. Not all proxies send that header, and there are many more ISPs
or company networks that use proxies. Relying on the IP is a bad idea in
general, simply because it's not unique to a particular visitor.

Micha
Oct 31 '07 #15
"floortje" <no**@none.nonewrote in message
news:47*********************@news.wanadoo.nl...
Op 2007-10-31 21:30:58 +0100, zei "Sanders Kaufman" <bu***@kaufman.net>:
>I use a "loginCookieValue" (UUID) in the users database.
Every page-view gets a new one.
That way - even if a would-be hacker steals a "session" for one page, it
won't be good for the next.

Even better offcourse but i'd still check the ip.
Way ahead of ewe...

function UUID(){
// 31-Character Format: [12345678-1234-1234-123456789012]
return sprintf('%04x%04x-%04x-%04x-%04x-%04x%04x%04x',
mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ),
mt_rand( 0, 0x0fff ) | 0x4000, mt_rand( 0, 0x3fff ) | 0x8000,
mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ), mt_rand( 0, 0xffff ));
}
$sCookie = $_SERVER['REMOTE_ADDR'] . fnUUID();

Nov 1 '07 #16
(Top-posting because replying to your message didn't bring the quotes in.
Hmmm)

I mean
1. Every page gets a PHP session.
2. Every session in which creds are validated gets a UUID cookie value.
3. Every subsequent page request gets and sets a new UUID.

The cookie format is IP-UUID-UUID-UUID-UUID.

If you spoof the IP (easy enough) and UUID (very tough) you can still get
customized content.
But to get at secure data, you have to login to the session.

My thing here is that I have various levels of "logged in".
There's logging in to the site. (cookie)
Then there's logging in to access secure data. (session)
Then there's logging in to access webmaster stuff. (https/session).

If you're gonna use cookies to do logins, that's the best way.


"Rik Wasmus" <lu************@hotmail.comwrote in message
news:op***************@metallium.lan...
On Wed, 31 Oct 2007 21:30:58 +0100, Sanders Kaufman <bu***@kaufman.net>
I use a "loginCookieValue" (UUID) in the users database.
Every page-view gets a new one.
That way - even if a would-be hacker steals a "session" for one page, it
won't be good for the next.
Do you mean every arbitrary request will alter one and the same cookie, or
every single path gets its own? Both have some drawbacks, mostly race /
simultanious requests conditions (and a hacker gets a new one too) for the
first, people screaming they're 'logged out' when they haven't even logged
in, but just request a previously unvisited page for the latter. But maybe
I'm looking at it wrong. Could you elaborate?
--
Rik Wasmus
Nov 1 '07 #17
..oO(Sanders Kaufman)
>(Top-posting because replying to your message didn't bring the quotes in.
Hmmm)
A known OE bug when replying to a message which was encoded in Quoted-
Printable or Base64.

Micha
Nov 1 '07 #18
"Michael Fesser" <ne*****@gmx.dewrote in message
news:15********************************@4ax.com...
.oO(Sanders Kaufman)
>>(Top-posting because replying to your message didn't bring the quotes
in.
Hmmm)

A known OE bug when replying to a message which was encoded in Quoted-
Printable or Base64.
Wait - doesn't the SMTP spec specifically say you should use one of those?
That would mean it's only buggy with righteous messages.
Zat so?

Man, I hate that I'm on Windows again!
I've been clean and sober for a year, and now I'm back on the MS junk.
I burned out my old P4 and bought a refurb for $300.
It had a little zip-lock baggie with the stuff right there in the box.
http://www.epinions.com/content_403826380420

I didn't even realize I was using again because I'm all into this project
and just loaded Zend up and went to work.
http://www.epinions.com/content_290447527556

But for some dumbass reason, I installed Firefox without Thunderbird.
Windows is no good unless you can run Linux apps on it. :)

Nov 1 '07 #19
On Thu, 01 Nov 2007 20:13:07 +0100, Sanders Kaufman <bu***@kaufman.net>
wrote:
But for some dumbass reason, I installed Firefox without Thunderbird.
Windows is no good unless you can run Linux apps on it. :)
Hmmm, there's Thunderbird for windows. Or isn't that what you meant?
--
Rik Wasmus
Nov 1 '07 #20
"Michael Fesser" <ne*****@gmx.dewrote in message
news:o9********************************@4ax.com...
.oO(Sanders Kaufman)
>>You *have* to rely on IP's in the identification process

A single user can have a dozen IPs and a dozen users can have the same
IP. What do you want to identify there?
The current user, of course. Or in a word... "currency".
While it's true a user can come from any number of IP's - they can only come
from one per session.

If that changes from the time that they login to the time they do something
secure, you gotta revalidate.
If you don't, then you open a window for session hijackers.

That's not so bad for safe data - like custom UI content and such.
Nobody gets hurt if the session is hijacked.

This is why banks still have tellers.
Most stuff is totally safe to do at an ATM.
Some stuff requires a more *personal* transaction.
Nov 1 '07 #21
..oO(Sanders Kaufman)
>"Michael Fesser" <ne*****@gmx.dewrote in message
news:15********************************@4ax.com.. .
>.oO(Sanders Kaufman)
>>>(Top-posting because replying to your message didn't bring the quotes
in.
Hmmm)

A known OE bug when replying to a message which was encoded in Quoted-
Printable or Base64.

Wait - doesn't the SMTP spec specifically say you should use one of those?
SMTP usually uses 7-bit ASCII chars. The "Content-Transfer-Encoding"
header is specified in the MIME RFC to accommodate for these transport
restrictions.
>That would mean it's only buggy with righteous messages.
Not exactly. There are some more possible encodings.

Micha
Nov 1 '07 #22
On Thu, 01 Nov 2007 20:27:04 +0100, Sanders Kaufman <bu***@kaufman.net>
wrote:
"Michael Fesser" <ne*****@gmx.dewrote in message
news:o9********************************@4ax.com...
>.oO(Sanders Kaufman)
>>You *have* to rely on IP's in the identification process

A single user can have a dozen IPs and a dozen users can have the same
IP. What do you want to identify there?

The current user, of course. Or in a word... "currency".
While it's true a user can come from any number of IP's - they can only
come
from one per session.
False.

1. A user can change IP within miliseconds between requests easily.
2. Behind 1 IP you can have hundreds, even thousands of users.
--
Rik Wasmus
Nov 1 '07 #23
Sanders Kaufman wrote:
"Michael Fesser" <ne*****@gmx.dewrote in message
news:o9********************************@4ax.com...
>.oO(Sanders Kaufman)
>>You *have* to rely on IP's in the identification process
A single user can have a dozen IPs and a dozen users can have the same
IP. What do you want to identify there?

The current user, of course. Or in a word... "currency".
While it's true a user can come from any number of IP's - they can only come
from one per session.
Wrong. Each request may come from a different IP - for instance, if
they have multiple proxies running in parallel. AOL is an example.
If that changes from the time that they login to the time they do something
secure, you gotta revalidate.
If you don't, then you open a window for session hijackers.
Revalidate on every request?
That's not so bad for safe data - like custom UI content and such.
Nobody gets hurt if the session is hijacked.

This is why banks still have tellers.
Most stuff is totally safe to do at an ATM.
Some stuff requires a more *personal* transaction.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Nov 1 '07 #24
Sanders Kaufman wrote:
"Michael Fesser" <ne*****@gmx.dewrote in message
news:o9********************************@4ax.com...
>.oO(Sanders Kaufman)
>>You *have* to rely on IP's in the identification process
A single user can have a dozen IPs and a dozen users can have the same
IP. What do you want to identify there?

The current user, of course. Or in a word... "currency".
While it's true a user can come from any number of IP's - they can only come
from one per session.
Another example would be if the user has a dynamic address and the lease
expires. There is nothing to indicate a new lease will get the same ip
address.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Nov 1 '07 #25
>The current user, of course. Or in a word... "currency".
>While it's true a user can come from any number of IP's - they can only come
from one per session.
Incorrect. They can have multiple IPs per page view. If, for
example, you have a main page, 3 frames, and 16 images, those
requests could come from 20 different IPs, just to view one page.
More if any redirects are involved. For reasonably short sessions,
it is possible that the user will never use the same IP twice.

Oh, yes, users in this situation (e.g. AOL users) may not be able
to turn this behavior off even if their lives depended on it. Don't
assume that all AOL users only use AOL to "hide". AOL has customers
besides spammers and scammers. And most of the SPAM and scams that
appear to come from AOL don't actually originate there.

On the other hand, very large organizations may have a single proxy
server so there may be tens of thousands of users all with the
*SAME* IP. These users probably can't turn that off, either, if
they want any Internet web access at all.
>If that changes from the time that they login to the time they do something
secure, you gotta revalidate.
Translation: THEY CAN *NEVER* GET IN. Or at least not within a
reasonable human lifetime.
>If you don't, then you open a window for session hijackers.

That's not so bad for safe data - like custom UI content and such.
Nobody gets hurt if the session is hijacked.

This is why banks still have tellers.
Most stuff is totally safe to do at an ATM.
Some stuff requires a more *personal* transaction.
And apparently that isn't doable via your web site. Perhaps an
in-person meeting, with 10 bodyguards with machine guns on each
side would work better.

Nov 2 '07 #26
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:A6******************************@comcast.com. ..
Sanders Kaufman wrote:
>The current user, of course. Or in a word... "currency".
While it's true a user can come from any number of IP's - they can only
come from one per session.

Another example would be if the user has a dynamic address and the lease
expires. There is nothing to indicate a new lease will get the same ip
address.
That's only a problem if, between the time they login and the time they
access secure data, the IP is renewed.
Even then, the only "problem" is that they gotta login again.

And that happens how often? Coupla hours? Coupla days? Sometimes less
frequently?

But you got me thinkin....
I should be auto-checking to see if there's a brute-force attack, or if
someone is desperately trying to access their own account.

I don't KNOW that none of my users are getting a more frequent IP change - I
just assume so, and have not heard otherwise.
But my system should have a feature to tell when someone's login is getting
hammered - especially if it's coming from multiple IP's.

Nov 2 '07 #27
"Rik Wasmus" <lu************@hotmail.comwrote in message
news:op***************@metallium.lan...
On Thu, 01 Nov 2007 20:27:04 +0100, Sanders Kaufman <bu***@kaufman.net>
>The current user, of course. Or in a word... "currency".
While it's true a user can come from any number of IP's - they can only
come
from one per session.

False.
OK - perhaps I should have said "legitimate" users.
Nov 2 '07 #28
Sanders Kaufman wrote:
"Jerry Stuckle" <js*******@attglobal.netwrote in message
news:A6******************************@comcast.com. ..
>Sanders Kaufman wrote:
>>The current user, of course. Or in a word... "currency".
While it's true a user can come from any number of IP's - they can only
come from one per session.
Another example would be if the user has a dynamic address and the lease
expires. There is nothing to indicate a new lease will get the same ip
address.

That's only a problem if, between the time they login and the time they
access secure data, the IP is renewed.
Even then, the only "problem" is that they gotta login again.

And that happens how often? Coupla hours? Coupla days? Sometimes less
frequently?
It all depends. I've seen them go from 30 minutes (i.e. hotels who
obviously don't have enough IP addresses for all their customers) to
once a week or more.
But you got me thinkin....
I should be auto-checking to see if there's a brute-force attack, or if
someone is desperately trying to access their own account.

I don't KNOW that none of my users are getting a more frequent IP change - I
just assume so, and have not heard otherwise.
But my system should have a feature to tell when someone's login is getting
hammered - especially if it's coming from multiple IP's.

IP's are *never* reliable.

Just keep track, and if they've failed 5 times in 15 minutes, disable
them for an hour.
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
js*******@attglobal.net
==================

Nov 3 '07 #29

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: Alex Nitulescu | last post by:
Hi. Because I'm a beginner in creating controls, I spent more than two *&^#$ hours to create this "login" as a custom control and to make it work properly: ...
15
by: Amit D.Shinde | last post by:
I am adding a new picturebox control at runtime on the form How can i create click event handler for this control Amit Shinde
2
by: Shakun | last post by:
Hi All, This is my 1st posting to this group. Can any1 help me with the "Remember Me" which is there in a login form. Im pasting the code below. Im not able to set a cookie.. Thanks, Shakun...
1
by: Dabbler | last post by:
I have a login page which requires all users to login everytime they visit, the remember me feature isn't working. We all have cookies and js enabled. Any suggestions on how to diagnose this? ...
0
by: InnoCreate | last post by:
Hi everyone I'm sure i can't be the only one having this problem. I'm using the asp.net 2.0 login control to log users in to my website - it uses the standard sql membership provider. The problem...
6
by: Charleees | last post by:
Hi all, I have a Login Page whrere all Functionalities such as validations are Done in Client Side... I have to Implement Remember My Mail Id and PAss Word Functionality also in Client side.....
2
by: André | last post by:
Hi, When clicking on "remember me" when logging, the user asks for not to have to log in next time he visits the site. Now, on one side, i read it is recommended to logout properly (clicking...
1
by: =?Utf-8?B?VEo=?= | last post by:
Hi, Environment : Asp.net 2.0 / C# As you know, there is a "Remember me" check box in Login control is VS.NET 2005. It allows you to get in the page without logging it if user closes browser,...
2
by: =?Utf-8?B?d2R1ZGVr?= | last post by:
I have a website using windows integrated security, with anonymous access turned off. The site is used to query orders from a database and when the search takes a long time, a windows login box...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.