Blog
Auto-login
2009-01-27 03:25:40 by Martynas Jusevičius
I wanted to implement an auto-login feature on one of the websites, also known as “remember me”. If a user was logged-in the last time he/she was using the website, next time he/she accesses it (in a new browser window) the login should be carried out automatically, without the need to authenticate again. This is common nowadays, found on many login-based Web applications.
Sounds pretty simple, but I looked over the PHP's session and cookie documentation and some examples, and had some second thoughts. Can the implementation be as simple as making the (cookie-based) session persistent, so that it never expires unless the user logs-out? Or maybe expires after some longer time, such as a month, that would probably be safer. This seems to be easily achieved by setting the PHP session cookie lifetime using session_set_cookie_params().
Maybe there are some caveats here? I'm aware of the session fixation exploit, but it seems that a cookie-based solution is one of the safer (not involving HTTPS), and widely-used as well.
Digg this!
del.icio.us!Comments (15)
Don't do it!!
2009-01-27 05:39:10 by Jacob Santos
I do it on a e-commerce site. I'm also aware of the session fixation and at some point I'm going to do something about it. The problem however, is that the user base are end users, so they'll most likely forget their passwords, and will most likely only ever use the site once a year.
2009-01-27 06:07:15 by Brian Moon
You might want to read my post about PHP sessions and cookie timeouts. http://brian.moonspot.net/2008/05/14/php-session-cookie-refresh/
Auto-login
The usual solution is a remember me cookie that persists, and individual session cookies for each session. You could persist the session indefinitely, but depending on what junk you put in the session cache, it could be risky.
Mats Lindh
We always go for the "remember me" cookie that persists with a long magic key. This key is then resolved to a user id in the database, and the session data is created from scratch - just as the user had just logged in. This doesn't clutter the session storage with inactive sessions, doesn't leave (possibly sensitive) session data around. It's also not sensitive to session storage getting cleaned up from time to time (depending on your installation).
I also think that this fits better to the expected use of the "remember me" / "auto-login" feature.
2009-01-27 13:16:35 by Tomek
yep, what Mats wrote!
Web developer
Remember not to store any user login details in the remember me cookie, I've seen this done before and it's bad bad bad bad bad practice, in case the cookie is read by a third party.
The userId + a hash of the userId and something else should be enough to check against the DB and give them an authenticated session.
2009-01-27 17:12:05 by David Dashifen Kees
Can't stress enough what someone else said above: don't store login credentials! Store something hashed that identifies an account to the server but (hopefully) not to a human. Also, don't forget to use the session_regenerate_id() function to help avoid session fixation. If nothing else, it'll guarantee that whatever session ID the visitor gets prior to the auto-login (due to a fixation attack) gets switched to a new one when the auto-login happens.
2009-01-28 07:30:26 by serg
Oh thanks alot
2009-01-28 22:31:59 by David
We have done this on a site in the past and for security we had a cookie created with a hash to check against the DB. When user auto-logs in, the hash is recreated in cookie and DB. Also cookie auto-expires if user has not logged in for a week.
Re:
yep, it could be risky
2009-06-22 08:51:52 by Rusli Zainal Sang Visioner
Thanks for sharing your thought. Wish you good
tips
thank you for your tips
cookie
I never implemented this such cookie while it might be exploited by third party script to collect users information.
rAnepIYmHQp
DixyD2 <a href="http://jgmegjcuabap.com/">jgmegjcuabap</a>, [url=http://rhxeqgbvobrw.com/]rhxeqgbvobrw[/url], [link=http://gxfoblwmmkjw.com/]gxfoblwmmkjw[/link], http://vgbuyjxuezgi.com/
2009-01-27 04:35:27 by Sam Shull