I’m at the beginning of a project that will have a “remember me” option when the user authenticates.
My user’s database table have the following basic structure for authentication:
- id : a random number generated when user is registered. (key)
- username : an username choosen by the user, can be changed to another unique username.
- hash : the hash of the password created with “phpass” when the password is set.
I’d like to know a safe way to keep the user logged in, even in more than one computer, using cookies and MySQL.
I wish I can use the same cookies to store a temporaly session or a “remember me” section. I’ve read about tokens and about hashing all user information to a cookie but is it safe? I checked Facebook’s cookies that are used after user authentication and there’s user id entry, is it really necessary for what I whant to do?
If I decide to hash information to the cookie should I use “phpass” that probably is slower or a simple MD5 function, seen that the authentication verification wiil be in every page and every AJAX request? Should I renew a user token every time I verify for login?
Finally, what’s the best choice I have? I know there’s a lot of questions similar to this but I didn’t found something like “the best way” to do this. In every post I find there’s something different and contradictory about this subject. I’d like to know a safe and clean way to do it.
I would recommend using a separate table to store saved login sessions. This table will store a unique hash generated at the time of user choosing to “remember me”, the user’s IP address, and their user_id.
When or If a user decides to keep a persistent login, you will generate the hash, save that hash as a cookie value, and store their IP / user_id in the “remembered” table.
In your session_start/check sequence, first check if session is set — if not, check if cookie is set – if cookie is set, match their IP address to the cookie’s hash value against the database and then if all checks out, set their session status as “authenticated”.
The reason for having a table using their IP address and a unique hash is to allow multiple devices/computers to be persistent. Each device would have an entry in your remembered_sessions table.
This method does not store any passwords in a cookie, and only those who have successfully entered their password will have this cookie on their computer. Additionally even if someone grabbed that user’s hash in their cookie they would need to be on the same network to be considered authenticated.