Home/ Questions/Q 9149875
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-17T11:32:11+00:00

What method should I use to keep logged in my users, like google’s gmail?

  • 0

What method should I use to keep logged in my users, like google’s gmail? (You can stay logged in for almost an unlimited time if you want – stay logged in function – and even if your IP is changed mid-session, gmail still recognize you).

PHP Sessions last until the browser is closed (or 1440 sec), even with the use of session_set_cookie_parameters() I don’t know if it is a good practice or not. I would prefer using MySQL tables instead. One for user login attempts and one for sessions, but I wonder how should I accomplish this.

How can I identify users? The IP is no good, it can change and what if the user uses a proxy? All I want is to use a secure and convenient way.

Let’s put aside Network Eavesdropping and Cross-site Scripting, Im doing my best to counter these attacks. Brute force attacks would be denied with the use of login attempt logging and I use prepared statements to not get sql injected.

My other question is, how can I prevent session hijacking if I want an own login system?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I use a second specific cookie (ie not the session cookie), named ALWAYS

    • that cookie is set for a long life (eg a year)
    • its value is unique, determined in PHP based on UID and other random (time…) things, made from a hash key (choose your algorithm – md5 is said to be weak), eg “df67ewbhca9fasdi383hd.347234892.HASHFROMUIDSPECIFIC”
    • that value is stored in MySQL – user row – when the user logs in

    • the following algorithm is followed

      user_login() {
  if ( not signed in ) {
     if (cookies[ALWAYS] is present AND value is in DB AND not null) {
        log the user from that row , automatically
        create his session
     }
     else {
        regular_login()
     }
  }
}

    • when the user logs out, delete the cookie ALWAYS, AND set that value to null in DB

    This way, the users who logged in previously, are (for a year, can be changed) automatically logged in when session expired, from the same browser they initially logged in.

    When a user logs out, remove the possibility of a cookie that has been stolen (…) by removing the value from the DB. Thus even though it could be stolen, it cannot be used anymore.

    • 0