Reputation: 1261
Endless PHP Session like Amazon does (theory)
Couldnt find a duplicate of this question so here goes:
I'm interested in setting up a php site with accounts that work like amazon does. And by that I mean, when I go to amazon my session is always "logged in" but not really. The site knows who I am, I have access to my saved cart data and certain "insecure" account operations but whenever I want to do anything like view my orders, or actually check out I have to log in still.
I looked at the cookies while in the "not logged in but sort of logged in" state on amazon and I didnt see anything jump out at me but I'm guessing that they store some sort of identifier cookie that allows the site to start a session based on my user account but in an "unauthenticated" mode where most things are restricted but not all.
So I was wondering if anyone has any tips or gotchas regarding my idea for this:
1 - User accounts all have some sort of MD5 has that's created based on the user name and password when the account is created / updated.
2 - Every time the session is authenticated it makes sure there is a /permanent/ cookie stored with this md5 hash.
3 - when visitors load a page if there is no active session data for them, it checks for the md5 cookie and loads the users basic "unauthenticated" info to the session that matches that md5 so now the site knows their name and their saved carts etc.
(Is it an issue that someone could try random md5 hashes to try to load different user names / carts thus getting "login email" addresses? Would it be worth my time to put some sort of brute force detection on the md5 checks?)
4 - When a user in the unauthenticated state tries to do something that requires authentication the login page is shown, with the email / account name box pre-filled out. Then Redirect to the requested action upon successful login.
(if there is no md5 cookie or md5 is bad just throw away the cookie and show the site "no user" mode.)
Thoughts? concerns? better ideas?
Upvotes: 2
Views: 400
Answers (1)
Reputation: 7165
In order to do something like this, I'd suggest setting an encrypted cookie that you can read with a certain salt. Inside that salted/encrypted cookie, save the user ID, and the date of the login so you can set up a time limit to check the difference between and determine if you are going to allow them access to those certain insecure portions of the website.
I truly feel like this is the most efficient way to go about something like this. Save everything else in the database and just use the cookies saved ID to grab information from the DB (after you decrypt the cookie, of course), for the rest of the data you want (cart, etc)
Hope this helps!
Upvotes: 5
Related Questions
- Invalidating JSON Web Tokens
- Check if PHP session has already started
- Reference Guide: What does this symbol mean in PHP? (PHP Syntax)
- How do I expire a PHP session after 30 minutes?
- Reference - What does this error mean in PHP?
- How does PHP 'foreach' actually work?
- What are sessions? How do they work?
- What is the best way to prevent session hijacking?
- php session expires randomly after a few minutes