asked on

remember me in php token length

Hi

I am looking at how to implement remember cookies in php and most webpages suggest to use a random token and change it each page load to prevent session hijacking. I asked a similar question about this recently.

my question is , if i do implement it this way, how do i know how is' trying to be remembered?' I can assign the random token to the user on creation and then look up the random token and see who it was assigned to but isnt it possible more than one user could have the same random token?

how big, in terms of characters, would the token have to be for the chances of people having the same token to be negligible

thanks experts :)

ASKER CERTIFIED SOLUTION

Dave Baldwin

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

andieje

ASKER

so i check the token when i make it to ensure it doesnt already exist? Is that what you are saying? Makes sense to do that

Dave Baldwin

Yes, that's what I'm saying. I don't know of any way to 'guarantee' unique-ness. Even if you do something like an MD5 of someone's name, there are a lot of people with the same name.

Ray Paseur

The example in this article works reasonably well. You can generate the token and INSERT it into a SQL database. If there is a duplicate in a UNIQUE column, MySQL will throw error numner 1062. When this happens, you generate a new token and retry the INSERT.
https://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

andieje

ASKER

thank you