Solved

Web Application " Keep me signed in" options

Posted on 2010-08-29
10
275 Views
Last Modified: 2012-08-13
Dear All:

I was planing  to implement "Keep me signed in" options on my application which required login each time and will time out after 30 minute time out idle currently.

My Questions:
1) what is the standard way to implement it with top security? Currently I am using cookie, session on my application.
2) How should i monitor on the application after implement this (security aspect) ? Any standard step should i implement it?

currently, i keep all user public IP address, login ID, and time, and which application he/she access.

please advice, many thanks.
0
Comment
Question by:simonlai
  • 6
  • 2
  • 2
10 Comments
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33552269
Use a cookie to supplement the session.  That is all you have to do.  See this man page.
http://us.php.net/manual/en/function.setcookie.php
0
 
LVL 108

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 33552277
The general design pattern would go something like this:

1. If there is a COOKIE, the client is signed in.
2. If there is no COOKIE, redirect to the login page.

The login page would validate the credentials (user id, password) and would set the COOKIE.

The logout page would clear the cookie.

I have an article here at EE that teaches the basics of login / logout processing.  Where the SESSION is used, you would add the code to use the COOKIE instead.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Please look it over and let me know if you have any questions.  HTH, ~Ray
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33552470
there's 1 thing you might want to consider.

I usually create a trustlevel session var. if it's cookie certain things like password changes are not allowed.

0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33552491
For password changes, (or monetary transactions) you would simply ask for the current password.  The cookie would have nothing to do with it.  The new password would be effective at the next login.  This is good enough for PayPal.

FWIW, PayPal also uses HTTPS (SSL) for its web site.  If security is a concern, you would want to use SSL, too.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33554248
@Ray  that's ofcourse a method..
but if you have a set of applications or modules you'd have to code them all to include that .. or you'd just have to check the trust level .. both have advantages.
it's a matter of choice..
I like to keep all in a user class and work with trust levels.. but that's just me .
Regards,
Peanuts
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33554794
@p_nuts:  Agreed.  A simple call to the "check_password()" method on the "user" object is a one-line way to cover this important point.  The method could be stateful and return TRUE if the current state showed a satisfactory level of trust.  My ATM machine asks for the PIN number for every transaction.  Maybe they are thinking, "If I have a belt and braces, surely my pants won't fall down!"
0
 
LVL 1

Author Comment

by:simonlai
ID: 33559232
thanks all replied.......

Ray & p_nuts: get all your points.....

any other concept can monitor "Keep Me login" method??

many thanks
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 33560116
Not really - a cookie is how the professionals do it.  In the article I posted, you may note that it uses the session to preserve the login data.  The session sets a cookie that lives only as long as the browser window (or about 24 minutes of inactivity).  So if that cookie lived for a longer period of time, and it pointed to the same kind of data that is contained in the $_SESSION array... I am sure you get the picture.  Best regards, ~Ray
0
 
LVL 1

Author Closing Comment

by:simonlai
ID: 33680335
thanks ray...........
0
 
LVL 108

Expert Comment

by:Ray Paseur
ID: 33681927
Thanks for the points -- it's a good question, ~Ray
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Boost your ability to deliver ambitious and competitive web apps by choosing the right JavaScript framework to best suit your project’s needs.
The purpose of this video is to demonstrate how to prevent comment spam on a WordPress Website. This will be demonstrated using a Windows 8 PC. Plugin Akismet will be used. Go to your WordPress login page. This will look like the following: myw…
The purpose of this video is to demonstrate how to set up basic WordPress SEO. This will be demonstrated using a Windows 8 PC. The plugin used will be WordPress SEO by Yoast. Go to your WordPress login page. This will look like the following: myw…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now