best way to log in users, and keep them logged in

nassau · #1 (**permalink**) 01-11-06, 09:35 PM

my tools are php and mysql.
i want users to be able to log in to a preregistered account. they whould be able to autologin after the first time.

how do i make an optimal login function, how do i keep it secure and prevent users from logging into others accounts?

also, how do i keep the users logged in between reloads?

how is it usually done? do websites save username and password in a $_COOKIE locally on users machine? is this cookie matched between each reload or is it better to use $_SESSION? and if sessions should be used, is it better to use "cookie" sessions or "url" sessions?

all tips on security and ease of use is welcome. my users will have an ID, username and password. IDs and usernames are unique (no two users can have the same one).

thank you

Vineman · #2 (**permalink**) 01-11-06, 09:36 PM

Cookies are the way to go.

nassau · #3 (**permalink**) 01-11-06, 09:54 PM

thanks, but would you like to elaborate? use straight cookies and no sessions? write to cookie for each reload? is that what forums etc are doing?

any words of wisdom on security?

Critical · #4 (**permalink**) 01-12-06, 09:50 AM

I am using cookies and session.

Cookies for "Log in me next time"
Session for "Don't log me next time"

dennispopel · #5 (**permalink**) 01-13-06, 09:34 AM

Hello

So, first of all, cookies are the most widely used means of conweying inter-request data so that most sites use them to keep logged user info. Secondly, they just store the user login or user ID in the session vars so it is sufficient to do a lookup on the user ID. Third, the session IDs are strong enough that will make brute force efforts effectless compared to the short session lifetime.

nassau · #6 (**permalink**) 01-15-06, 04:08 PM

does anyone have any examples of code? most people say "go with cookies", but how?

should i store a value in the cookie saying "logged_in", along with username and encrypted password? is it that simple?

digioz · #7 (**permalink**) 01-15-06, 05:53 PM

In my opinion Sessions (server side) are the best way to go. Since Cookies are placed on the client side (visitor's computer), it can be manipulated a lot easier (so not very safe).

nassau · #8 (**permalink**) 01-15-06, 06:12 PM

but if one is to offer a permanent login (such as on this site), you'd be forced to use cookies. and if cookies are safe for that purpose, shouldn't they be safe for most other purposes?

i'm not saying you're wrong, i just want to discuss it.

digioz · #9 (**permalink**) 01-15-06, 06:29 PM

What I am basically saying is to not allow permanent / cookie based login, since doing so is risky. However, if you were to do permanent login, then cookies are the only way to do it. Just be aware that cookie based login system are extremely easy to bypass.

Christian · #10 (**permalink**) 01-15-06, 06:35 PM

I found this code at http://us3.php.net/manual/en/function.session-start.php

PHP Code:


			
session_start();

// this session will expire in 7 days

setcookie(session_name(),session_id(),time()+3600*24*7);

//                                                ^Remove The Double Space It Wont Work Right :(