Seeing who is logged in from encrypted cookies

Forum Moderators: coopster

Message Too Old, No Replies

Seeing who is logged in from encrypted cookies

iceman22

2:14 am on Mar 24, 2005 (gmt 0)

I am adding accounts to my site and have successfully implemented cookies, on log in the username and password (which first gets md5'd) entered are checked with the ones in the MySQL database. Then a cookie is set, one for the username, with the value of the md5(username) and the same for the password.

I can easily tell if someone is logged in to know what dynamic content to display, the problem is, I do not know the username, because it is encrypted.

Now I've got a few ideas on how to go about this, I could go through the Accounts table and md5 each of the usernames and check, but that would be inefficient. I've also thought about having another table with all the users who are logged in, that way I could also just set a single cookie.

Rather than fumbling around with this idea anymore I thought I'd get this right before I develop too much around it. What are some of the preferred methods around here?

Thanks.

jollymcfats

4:41 am on Mar 24, 2005 (gmt 0)

You might look at how PHP sessions are implemented for inspiration. It is similar to your second idea.

A single cookie is used, and it contains a shared secret- a random string unique to that session that only the client and server know. The server uses the secret string as an identifier to look up information server-side about the session. E.g., if the cookie contains 'ae87f03b', the server can do a database lookup keyed on 'ae87f03b', or load a file from a filesystem named 'ae87f03b_sess' or the like.

iceman22

5:54 am on Mar 24, 2005 (gmt 0)

Is there anything specific I should be looking into with them? I considered using sessions, but sessions alone would only be a temporary login.

jollymcfats

4:50 pm on Mar 24, 2005 (gmt 0)

You could do something similar for a permanent session- use a unique identifier as the value of a single persistent cookie, and use that to lookup the user on the server side. It could be an MD5'd username, but it would be safer to use something truely random.

It is also possible to combine this with PHP sessions, which are pretty handy. If a user visits your site and has no PHP session active, you check for the permanent ID cookie. If it's there, you can automatically sign them in and start a temporary PHP session, or get fancy and make them re-enter their password if they've been away too long etc.

iceman22

4:28 am on Mar 25, 2005 (gmt 0)

Googling for php "permanent sessions" [google.com] didn't find much. I've seen some pretty complicated implementations of sessions in this forum, with classes and pointers and many lines of code.

At the moment I have some scripts, a register.php, login.php, user.php, etc. Globally I include a menu script, which creates a dynamic menu, and either displays a link to login or register based on if your logged in or not.

At the moment setting cookies works fine, the only problem is figuring out which user is logged in for the user.php page. All other pages only need to see if your logged in or not through the menu script. If I were to use sessions, I would have to start the session in the menu script which would make it more confusing...

jollymcfats

5:04 pm on Mar 25, 2005 (gmt 0)

If you're assuming that the presense of your cookie indicates a valid login, the code can be simple. Check $_COOKIE for your cookie; if present the user is logged in. If you want to find out who is logged in, read the cookie's value (which could be a random token as in msg. 2) and use the value to look up the user's record in a database or file.