h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

You wouldn't automatically be logged in in a scond broswer, you have to log in again with username/password. BUT logging in on a second browser wouldn't invalidate your cookie on the first browser. Logging out of the second browser WOULD invalidate your cookie on the first browser though. I dunno if that makes sense...

I think d'Elaphant is right about tracking IP addresses. Anyone that gets ahold of the cookie could fake their identity to the script. If you check it against the IP address you could be (relatively) sure that it came from the same computer.

You might also want to think about making sessions timeout to prevent the cookie from being used hours after the real person has logged out. You can't rely on cookies to delete themselves, either - the session id would have to time out on the server end.

As I'm sure you know it's possible to spoof IP addresses too, really it all comes down to how much you trust your users, or the people with access to their machines.

Bit of a shame, but I like the IP address idea, even tho' you can rout and fake IP addresses, you'd need someone with expert level of computer competences to do it.


-- DoctorMO --

Someone with an expert level of computer competence... Or any idiot with a NAT box...

It's not secure but it helps. Nothing is completely secure, after all.

Can't be bothered with IP stuff. and cookies wont time-out because I want people to be able to login from their home computer and never have to login again. If they're using a public computer and don't logout it's their fault...

*nod* Understandable.

Given that then, I would recommend that the logout command delete the sessionid from the database rather than just deleting the cookie on the user end. It's no more effort to implement and much more secure.

Yeah, that's pretty much how it works at the mo.

What's the difference usually between people clicking 'remember me' or not...?

if you close the browser the cookies are lost, but if the database still has an entry on that sesion then the database may become overcrowded, so you'll have to have some clean up functions and a max time out of sesions that haven't been used...

-- DoctorMO --

I don't get you. If the browser is closed without logging out, then the session id remains next to the users entry in the database. Which means if they re-open the browser with the cookie still there, then they won't need to login.

If I missed the point, can you explain again?

Closing the browser only deletes session cookies, DoctorMO... Most cookies are persistent rather than session.

Only if you chose so, and only if you wish this to be the case,

Using my name like that, tut tut...

-- DoctorMO --