Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>While you can hash a user_id and secret_key, anyone who intercepts this cookie can log in to your application. In addition to this, you can make it so that your remember me cookies go stale very quickly. No one likes a stale cookie.</p> <p>You can store the time stamp of each user's last visit in your database and in the cookie. Each time you read the cookie to log the user in, you check to see that both timestamps match. If they don't, deny the user. If they do, update the timestamps.</p> <p>Using this method, any time your user returns to your site, all old cookies go stale. A hacker that has intercepted a cookie now has a worthless stale cookie because he does not know the exact time stamp in the current cookie. Of course, the hacker can use a fresh cookie as much as he wants until the user logs back in.</p> <pre><code>//check for cookie if(isset($_COOKIE['remember_me'])) { // get hash and time stamp from cookie $hash = substr($_COOKIE['remember_me'],0,40); $last_visit = substr($_COOKIE['remember_me'],41); // query your db with $hash and $last_visit // if hash and time stamp match up // log in // store the current time stamp in a variable to use for both $time = date("Y-m-d H:i:s"); // update the time stamp in your cookie $cookie = $pass . "-" . $time; setcookie('remember_me', $cookie, time()+60*60*24*100, '/'); // update the time_stamp in your database else { // remove the remember me cookie setcookie('remember_me', '', time()-42000, '/') } </code></pre> <p>This method offers a small amount of security, and should certainly be used along side methods proposed in other answers. A hashed key should be stored in the cookie. A remember me cookie cannot be perfectly secure, so password re-entry should be required for any additional access to highly sensitive data or application features.</p> <p>I also recommend naming your cookie something besides 'remember_me' to make it a little harder to find. While it does not add much security, if any, naming your cookie 'ht33424' takes just as long as naming it 'remember_me' or 'hack_me'.</p>
    singulars
    1. This table or related slice is empty.
    1. POBest practice for remember me feature
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USSomewhereThere
    1. USSomewhereThere
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POBest practice for remember me feature
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COSorry but I don't think I like this answer, unless I misunderstand the logic of it this relies on the user loading a new page before the hacker has time to copy and execute the page on their side. At the end of a genuine users session there is a big window for hijacking, and even during a session it shouldn't be too hard to slip in between page loads. This would create unusual page behaviour for the genuine user. Renaming cookie variable names is security through obscurity and a waste of time. (Continued)
      singulars
      1. PO
      1. USTom Gullen
    2. CO... It is probably another layer that will help, but a determined hacker will not be detered by it. Also it is not 100% failsafe for the reasons I mentioned above. For sensitive and potentially damaging access to sensitive information and functionality I would not recommend this method as a 100% secure solution, only a marginal improvement.
      singulars
      1. PO
      1. USTom Gullen
    3. COTo a determined hacker, no method is 100% failsafe. As you said, this really is just one more layer to try and get us closer to 100%. This is meant to be used along side other methods, many of which are provided in other answers. A hashed key should definitely be stored in the cookie, and password re-entry should be required for additional access to sensitive information and features.
      singulars
      1. PO
      1. USSomewhereThere
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload