Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Web Application " Keep me signed in" options

Posted on 2010-08-29
10
Medium Priority
?
285 Views
Last Modified: 2012-08-13
Dear All:

I was planing  to implement "Keep me signed in" options on my application which required login each time and will time out after 30 minute time out idle currently.

My Questions:
1) what is the standard way to implement it with top security? Currently I am using cookie, session on my application.
2) How should i monitor on the application after implement this (security aspect) ? Any standard step should i implement it?

currently, i keep all user public IP address, login ID, and time, and which application he/she access.

please advice, many thanks.
0
Comment
Question by:simonlai
  • 6
  • 2
  • 2
10 Comments
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33552269
Use a cookie to supplement the session.  That is all you have to do.  See this man page.
http://us.php.net/manual/en/function.setcookie.php
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 33552277
The general design pattern would go something like this:

1. If there is a COOKIE, the client is signed in.
2. If there is no COOKIE, redirect to the login page.

The login page would validate the credentials (user id, password) and would set the COOKIE.

The logout page would clear the cookie.

I have an article here at EE that teaches the basics of login / logout processing.  Where the SESSION is used, you would add the code to use the COOKIE instead.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391.html

Please look it over and let me know if you have any questions.  HTH, ~Ray
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33552470
there's 1 thing you might want to consider.

I usually create a trustlevel session var. if it's cookie certain things like password changes are not allowed.

0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33552491
For password changes, (or monetary transactions) you would simply ask for the current password.  The cookie would have nothing to do with it.  The new password would be effective at the next login.  This is good enough for PayPal.

FWIW, PayPal also uses HTTPS (SSL) for its web site.  If security is a concern, you would want to use SSL, too.
0
 
LVL 13

Expert Comment

by:p_nuts
ID: 33554248
@Ray  that's ofcourse a method..
but if you have a set of applications or modules you'd have to code them all to include that .. or you'd just have to check the trust level .. both have advantages.
it's a matter of choice..
I like to keep all in a user class and work with trust levels.. but that's just me .
Regards,
Peanuts
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33554794
@p_nuts:  Agreed.  A simple call to the "check_password()" method on the "user" object is a one-line way to cover this important point.  The method could be stateful and return TRUE if the current state showed a satisfactory level of trust.  My ATM machine asks for the PIN number for every transaction.  Maybe they are thinking, "If I have a belt and braces, surely my pants won't fall down!"
0
 
LVL 1

Author Comment

by:simonlai
ID: 33559232
thanks all replied.......

Ray & p_nuts: get all your points.....

any other concept can monitor "Keep Me login" method??

many thanks
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 2000 total points
ID: 33560116
Not really - a cookie is how the professionals do it.  In the article I posted, you may note that it uses the session to preserve the login data.  The session sets a cookie that lives only as long as the browser window (or about 24 minutes of inactivity).  So if that cookie lived for a longer period of time, and it pointed to the same kind of data that is contained in the $_SESSION array... I am sure you get the picture.  Best regards, ~Ray
0
 
LVL 1

Author Closing Comment

by:simonlai
ID: 33680335
thanks ray...........
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33681927
Thanks for the points -- it's a good question, ~Ray
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was originally published on Monitis Blog, you can check it here . Today it’s fairly well known that high-performing websites and applications bring in more visitors, higher SEO, and ultimately more sales. By the same token, downtime…
Q&A with Course Creator, Mark Lassoff, on the importance of HTML5 in the career of a modern-day developer.
The purpose of this video is to demonstrate how to Import and export files in WordPress. This will be demonstrated using a Windows 8 PC. Go to your WordPress login page. This will look like the following: mywebsite.com/wp-login.php : Click on Too…
The purpose of this video is to demonstrate how to integrate Mailchimp with WordPress, by placing a Mailchimp signup form on a WordPress Page or Post. This will be demonstrated using a Windows 8 PC. Mailchimp will be used. Log into your Mailchi…
Suggested Courses

926 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question