Solved

Web Application " Keep me signed in" options

Posted on 2010-08-29
10
280 Views
Last Modified: 2012-08-13
Dear All:

I was planing  to implement "Keep me signed in" options on my application which required login each time and will time out after 30 minute time out idle currently.

My Questions:
1) what is the standard way to implement it with top security? Currently I am using cookie, session on my application.
2) How should i monitor on the application after implement this (security aspect) ? Any standard step should i implement it?

currently, i keep all user public IP address, login ID, and time, and which application he/she access.

please advice, many thanks.
0
Comment
Question by:simonlai
  • 6
  • 2
  • 2
10 Comments
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33552269
Use a cookie to supplement the session.  That is all you have to do.  See this man page.
http://us.php.net/manual/en/function.setcookie.php
0
 
LVL 109

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 33552277
The general design pattern would go something like this:

1. If there is a COOKIE, the client is signed in.
2. If there is no COOKIE, redirect to the login page.

The login page would validate the credentials (user id, password) and would set the COOKIE.

The logout page would clear the cookie.

I have an article here at EE that teaches the basics of login / logout processing.  Where the SESSION is used, you would add the code to use the COOKIE instead.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Please look it over and let me know if you have any questions.  HTH, ~Ray
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33552470
there's 1 thing you might want to consider.

I usually create a trustlevel session var. if it's cookie certain things like password changes are not allowed.

0
Master Your Team's Linux and Cloud Stack!

The average business loses $13.5M per year to ineffective training (per 1,000 employees). Keep ahead of the competition and combine in-person quality with online cost and flexibility by training with Linux Academy.

 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33552491
For password changes, (or monetary transactions) you would simply ask for the current password.  The cookie would have nothing to do with it.  The new password would be effective at the next login.  This is good enough for PayPal.

FWIW, PayPal also uses HTTPS (SSL) for its web site.  If security is a concern, you would want to use SSL, too.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33554248
@Ray  that's ofcourse a method..
but if you have a set of applications or modules you'd have to code them all to include that .. or you'd just have to check the trust level .. both have advantages.
it's a matter of choice..
I like to keep all in a user class and work with trust levels.. but that's just me .
Regards,
Peanuts
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33554794
@p_nuts:  Agreed.  A simple call to the "check_password()" method on the "user" object is a one-line way to cover this important point.  The method could be stateful and return TRUE if the current state showed a satisfactory level of trust.  My ATM machine asks for the PIN number for every transaction.  Maybe they are thinking, "If I have a belt and braces, surely my pants won't fall down!"
0
 
LVL 1

Author Comment

by:simonlai
ID: 33559232
thanks all replied.......

Ray & p_nuts: get all your points.....

any other concept can monitor "Keep Me login" method??

many thanks
0
 
LVL 109

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 33560116
Not really - a cookie is how the professionals do it.  In the article I posted, you may note that it uses the session to preserve the login data.  The session sets a cookie that lives only as long as the browser window (or about 24 minutes of inactivity).  So if that cookie lived for a longer period of time, and it pointed to the same kind of data that is contained in the $_SESSION array... I am sure you get the picture.  Best regards, ~Ray
0
 
LVL 1

Author Closing Comment

by:simonlai
ID: 33680335
thanks ray...........
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 33681927
Thanks for the points -- it's a good question, ~Ray
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Learn by example how to specify CSS selectors for Selenium WebDriver test automation software.
Developer portfolios can be a bit of an enigma—how do you present yourself to employers without burying them in lines of code?  A modern portfolio is more than just work samples, it’s also a statement of how you work.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question