simonlai
asked on
Web Application " Keep me signed in" options
Dear All:
I was planing to implement "Keep me signed in" options on my application which required login each time and will time out after 30 minute time out idle currently.
My Questions:
1) what is the standard way to implement it with top security? Currently I am using cookie, session on my application.
2) How should i monitor on the application after implement this (security aspect) ? Any standard step should i implement it?
currently, i keep all user public IP address, login ID, and time, and which application he/she access.
please advice, many thanks.
I was planing to implement "Keep me signed in" options on my application which required login each time and will time out after 30 minute time out idle currently.
My Questions:
1) what is the standard way to implement it with top security? Currently I am using cookie, session on my application.
2) How should i monitor on the application after implement this (security aspect) ? Any standard step should i implement it?
currently, i keep all user public IP address, login ID, and time, and which application he/she access.
please advice, many thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
there's 1 thing you might want to consider.
I usually create a trustlevel session var. if it's cookie certain things like password changes are not allowed.
I usually create a trustlevel session var. if it's cookie certain things like password changes are not allowed.
For password changes, (or monetary transactions) you would simply ask for the current password. The cookie would have nothing to do with it. The new password would be effective at the next login. This is good enough for PayPal.
FWIW, PayPal also uses HTTPS (SSL) for its web site. If security is a concern, you would want to use SSL, too.
FWIW, PayPal also uses HTTPS (SSL) for its web site. If security is a concern, you would want to use SSL, too.
@Ray that's ofcourse a method..
but if you have a set of applications or modules you'd have to code them all to include that .. or you'd just have to check the trust level .. both have advantages.
it's a matter of choice..
I like to keep all in a user class and work with trust levels.. but that's just me .
Regards,
Peanuts
but if you have a set of applications or modules you'd have to code them all to include that .. or you'd just have to check the trust level .. both have advantages.
it's a matter of choice..
I like to keep all in a user class and work with trust levels.. but that's just me .
Regards,
Peanuts
@p_nuts: Agreed. A simple call to the "check_password()" method on the "user" object is a one-line way to cover this important point. The method could be stateful and return TRUE if the current state showed a satisfactory level of trust. My ATM machine asks for the PIN number for every transaction. Maybe they are thinking, "If I have a belt and braces, surely my pants won't fall down!"
ASKER
thanks all replied.......
Ray & p_nuts: get all your points.....
any other concept can monitor "Keep Me login" method??
many thanks
Ray & p_nuts: get all your points.....
any other concept can monitor "Keep Me login" method??
many thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
thanks ray...........
Thanks for the points -- it's a good question, ~Ray
http://us.php.net/manual/en/function.setcookie.php