Solved

Web Application " Keep me signed in" options

Posted on 2010-08-29
10
281 Views
Last Modified: 2012-08-13
Dear All:

I was planing  to implement "Keep me signed in" options on my application which required login each time and will time out after 30 minute time out idle currently.

My Questions:
1) what is the standard way to implement it with top security? Currently I am using cookie, session on my application.
2) How should i monitor on the application after implement this (security aspect) ? Any standard step should i implement it?

currently, i keep all user public IP address, login ID, and time, and which application he/she access.

please advice, many thanks.
0
Comment
Question by:simonlai
  • 6
  • 2
  • 2
10 Comments
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33552269
Use a cookie to supplement the session.  That is all you have to do.  See this man page.
http://us.php.net/manual/en/function.setcookie.php
0
 
LVL 110

Accepted Solution

by:
Ray Paseur earned 500 total points
ID: 33552277
The general design pattern would go something like this:

1. If there is a COOKIE, the client is signed in.
2. If there is no COOKIE, redirect to the login page.

The login page would validate the credentials (user id, password) and would set the COOKIE.

The logout page would clear the cookie.

I have an article here at EE that teaches the basics of login / logout processing.  Where the SESSION is used, you would add the code to use the COOKIE instead.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Please look it over and let me know if you have any questions.  HTH, ~Ray
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33552470
there's 1 thing you might want to consider.

I usually create a trustlevel session var. if it's cookie certain things like password changes are not allowed.

0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33552491
For password changes, (or monetary transactions) you would simply ask for the current password.  The cookie would have nothing to do with it.  The new password would be effective at the next login.  This is good enough for PayPal.

FWIW, PayPal also uses HTTPS (SSL) for its web site.  If security is a concern, you would want to use SSL, too.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33554248
@Ray  that's ofcourse a method..
but if you have a set of applications or modules you'd have to code them all to include that .. or you'd just have to check the trust level .. both have advantages.
it's a matter of choice..
I like to keep all in a user class and work with trust levels.. but that's just me .
Regards,
Peanuts
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33554794
@p_nuts:  Agreed.  A simple call to the "check_password()" method on the "user" object is a one-line way to cover this important point.  The method could be stateful and return TRUE if the current state showed a satisfactory level of trust.  My ATM machine asks for the PIN number for every transaction.  Maybe they are thinking, "If I have a belt and braces, surely my pants won't fall down!"
0
 
LVL 1

Author Comment

by:simonlai
ID: 33559232
thanks all replied.......

Ray & p_nuts: get all your points.....

any other concept can monitor "Keep Me login" method??

many thanks
0
 
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 500 total points
ID: 33560116
Not really - a cookie is how the professionals do it.  In the article I posted, you may note that it uses the session to preserve the login data.  The session sets a cookie that lives only as long as the browser window (or about 24 minutes of inactivity).  So if that cookie lived for a longer period of time, and it pointed to the same kind of data that is contained in the $_SESSION array... I am sure you get the picture.  Best regards, ~Ray
0
 
LVL 1

Author Closing Comment

by:simonlai
ID: 33680335
thanks ray...........
0
 
LVL 110

Expert Comment

by:Ray Paseur
ID: 33681927
Thanks for the points -- it's a good question, ~Ray
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An enjoyable and seamless user experience can go a long way on an eCommerce site. While a cohesive layout and engaging copy play roles in creating a positive user experience, some sites neglect aspects that seem marginal but in actuality prove very …
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The purpose of this video is to demonstrate how to prevent comment spam on a WordPress Website. This will be demonstrated using a Windows 8 PC. Plugin Akismet will be used. Go to your WordPress login page. This will look like the following: myw…
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question