The Slim Framework support forum has moved to http://discourse.slimframework.com. This Tender forum is no longer maintained or monitored.

PHP Authentication - Sessions and Cookies?

Enill's Avatar

Enill

10 Apr, 2012 02:33 AM

Hi,
i am looking for advice about dealing with a user credentials.

What i want:
- i want a user to be able to enter its credentials once and login into my web application - i want a user to be able to come back to my site and auto-login if it already entered its credentials and the best(and that the credentials are still valid)

What i am wondering is that since it is probably a bad idea to store credentials in a cookie, how should i deal with this? What is the good practices?

Thanks in advance!

  1. Support Staff 1 Posted by Josh Lockhart on 10 Apr, 2012 12:34 PM

    Josh Lockhart's Avatar

    You can store the authentication flag in the $_SESSION which will be persisted server-side while the session ID is persisted client-side.

    In my own applications, once a user authenticates successfully, I store the user ID and a hash(user ID + user secret that only my database knows) in the session. Then on each subsequent authenticated request, I check for the user ID and ensure the hash is correct.

    Josh

  2. 2 Posted by Enill on 10 Apr, 2012 09:09 PM

    Enill's Avatar

    Thanks for your reply.

    By building a hash of the id + secret token and storing it in a cookie for futur visit, what kind of security flaw are possible in top of your head?

    Also, is the secret token auto-generated on the server side when a user create a account for exemple?

    Thanks in advance!

  3. Andrew Smith closed this discussion on 02 Aug, 2012 10:52 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac