Reputation: 16726
Keeping users logged in without cookie
I was wondering if there was any other way to keep users logged in when they revisit my website even though the session has expired.
I currently use a cookie based method, but I was wondering if there were other methods people are using.
Upvotes: 1
Views: 2033
Answers (3)
Reputation: 3486
This is a very old question, but for the sake of future visitors, I would like to supply an answer.
You SHOULD use cookies. Like the other answers have noted, they are the most reliable method out there. If you want to make sure the user isn't visiting with an expired cookie, write the time at which it expires as a cookie with a checksum.
Here's an example using PHP:
$expireTime = time() + (60*60*24*3); // 3 days ( 60 seconds * 60 minutes * 24 hours * 3 days )
$rawPepper = openssl_random_pseudo_bytes(16);
$hexPepper = bin2hex($rawPepper);
setCookie($cookieKey, $cookieValue, $expireTime);
setCookie("expiresWhen", $expireTime, $expireTime);
setCookie("rand", $hexPepper, $expireTime);
$hash_1 = hash('sha512', "Your_Super_Secret_Salt" . $cookieValue . "Another_Super_Secret_Salt!" . $expireTime);
$hash_2 = hash('sha512', "Yet_Another_Salt!" . $hash_1. $hexPepper);
setCookie("checksum", $hash_2, $expireTime);
Then in your other PHP form for validation you say:
$expires = $_COOKIE['expiresWhen'];
$pepper = $_COOKIE['rand'];
$cookieVal = $_COOKIE[$cookieKey];
$givenCheckSum = $_COOKIE['checksum'];
$hash_1 = hash('sha512', "Your_Super_Secret_Salt" . $cookieVal . "Another_Super_Secret_Salt!" . $expires);
$correctCheckSum = hash('sha512', "Yet_Another_Salt!" . $hash_1. $pepper)
if($givenCheckSum != $correctCheckSum){
/* user's cookie has expired. Handle as you please */
}else{
/* Cookie is still valid */
}
Anyone care to make corrections to this or supply suggestions?
Upvotes: 2
Reputation: 8101
There are other methods, but you should refrain from using them because they in no way are as reliable as cookies.
- You can use a IP based login system. If using this, you will see issues with multiple users from same IP.
- You can generate a special link for users that is uniquely generated and make a login based on that
Instead of worrying about doing it another way, you should work on making your cookie-using system more secure.
Upvotes: 3
Related Questions
- PHP session without cookies
- Identifying alternative to session for keeping user logged in
- Keeping users logged in
- Keeping a user logged in with a cookie
- How to keep a user logged into my website using a php session cookie
- Keep a user logged in with cookies
- Create lasting php login cookie sessions
- Best method to keep user logged in?
- stay logged in while staying at site
- What is the most secure way to do a cookie based "Stay logged in"?