?
Solved

Web Application " Keep me signed in" options

Posted on 2010-08-29
10
Medium Priority
?
284 Views
Last Modified: 2012-08-13
Dear All:

I was planing  to implement "Keep me signed in" options on my application which required login each time and will time out after 30 minute time out idle currently.

My Questions:
1) what is the standard way to implement it with top security? Currently I am using cookie, session on my application.
2) How should i monitor on the application after implement this (security aspect) ? Any standard step should i implement it?

currently, i keep all user public IP address, login ID, and time, and which application he/she access.

please advice, many thanks.
0
Comment
Question by:simonlai
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 2
  • 2
10 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33552269
Use a cookie to supplement the session.  That is all you have to do.  See this man page.
http://us.php.net/manual/en/function.setcookie.php
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 33552277
The general design pattern would go something like this:

1. If there is a COOKIE, the client is signed in.
2. If there is no COOKIE, redirect to the login page.

The login page would validate the credentials (user id, password) and would set the COOKIE.

The logout page would clear the cookie.

I have an article here at EE that teaches the basics of login / logout processing.  Where the SESSION is used, you would add the code to use the COOKIE instead.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Please look it over and let me know if you have any questions.  HTH, ~Ray
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33552470
there's 1 thing you might want to consider.

I usually create a trustlevel session var. if it's cookie certain things like password changes are not allowed.

0
Learn by Doing. Anytime. Anywhere.

Do you like to learn by doing?
Our labs and exercises give you the chance to do just that: Learn by performing actions on real environments.

Hands-on, scenario-based labs give you experience on real environments provided by us so you don't have to worry about breaking anything.

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33552491
For password changes, (or monetary transactions) you would simply ask for the current password.  The cookie would have nothing to do with it.  The new password would be effective at the next login.  This is good enough for PayPal.

FWIW, PayPal also uses HTTPS (SSL) for its web site.  If security is a concern, you would want to use SSL, too.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33554248
@Ray  that's ofcourse a method..
but if you have a set of applications or modules you'd have to code them all to include that .. or you'd just have to check the trust level .. both have advantages.
it's a matter of choice..
I like to keep all in a user class and work with trust levels.. but that's just me .
Regards,
Peanuts
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33554794
@p_nuts:  Agreed.  A simple call to the "check_password()" method on the "user" object is a one-line way to cover this important point.  The method could be stateful and return TRUE if the current state showed a satisfactory level of trust.  My ATM machine asks for the PIN number for every transaction.  Maybe they are thinking, "If I have a belt and braces, surely my pants won't fall down!"
0
 
LVL 1

Author Comment

by:simonlai
ID: 33559232
thanks all replied.......

Ray & p_nuts: get all your points.....

any other concept can monitor "Keep Me login" method??

many thanks
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 2000 total points
ID: 33560116
Not really - a cookie is how the professionals do it.  In the article I posted, you may note that it uses the session to preserve the login data.  The session sets a cookie that lives only as long as the browser window (or about 24 minutes of inactivity).  So if that cookie lived for a longer period of time, and it pointed to the same kind of data that is contained in the $_SESSION array... I am sure you get the picture.  Best regards, ~Ray
0
 
LVL 1

Author Closing Comment

by:simonlai
ID: 33680335
thanks ray...........
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33681927
Thanks for the points -- it's a good question, ~Ray
0

Featured Post

Are You Using the Best Web Development Editor?

The worlds of web hosting and web development are constantly evolving. Every year we see design trends change, coding standards adapt and new frameworks/CMS created. With such a quick pace of change it’s easy to get lost trying to keep up.

See if your editor made the list.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Although a lot of people devote their energy toward marketing for specific industries, there are some basic principles that can be applied to any sector imaginable. We’ll look at four steps to take and examine how those steps were put into action fo…
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question