I was wondering how the DP login works. More specifically, I was wondering what goes on behind the "remember me" option. Sure, one could store user information in a cookie and then not require the user to login. But advanced users could easily change their cookies and log in as other poeple. A hashing method could be used to encrypt the cookie, so that forging it would be difficult. Is that how it's done? Obviously, requiring a password would beat the point. Can anyone suggest a good way to do this?
DP, or vBulletin stores 3 cookies which are used for the log in. One is the user ID, another is the password (MD5 encrypted), and the third being the session hash. (Also MD5 encrypted) So you may can change the values of cookies, but that doesn't directly mean you can log in as someone else. You would need the user's password, and encrypt it the same way vBulletin does. It's something like this if I'm not mistaken: $password = md5($password . md5($salt . $username)); PHP: So you don't only need the password, also the unique user salt value (which only the database knows). This alone makes it almost impossible to get the exact user ID / password combination to log in as someone else. It's probably easier to sit down and guess the user's password. (Which is easy sometimes when you know the person). To make the system more secure, vBulletin logs failed log in attempts, and requires the user to wait 15 minutes if he entered the wrong password 3 (or 5... don't remember) times. Additionally, a warning email can be sent to the user's email address that "someone" tried to log in into this account, and that updating the password may be recommended. Using cookies to keep the user logged in makes it less secure than verifying the username and password each time, because the cookies are stored on the user's computer, and if someone has access to it, they could be easily copied. But then again, Firefox stores all your passwords too, when you tell it to. So with a few clicks you can see them all in the "tools" option. So depending where you are, I don't see it as "real" security issue. Depending on what you need this for, I would suggest using re-authentication with username and password if you are storing important details such as credit card numbers. Or keep the user logged in via cookie, and make him re-enter the username and password for important tasks, like changing the password, realizing payments, etc... So, in response to your actual question. The system works more or less like this: The user logs in, and an unique session value is created, and stored in the database and a cookie, or passed in the URL if the user has cookies disabled. If the user decided to "remember him", the encrypted password will be stored in the cookie as well. So as long as the session cookie doesn't expire, or timed out in the database, the user keeps authenticated via the session. If the session or cookie expired, it will query the database for the user ID and password combination, and restore the session.
Really helpful detailed answer. I guess I've been giving you too much greens lately b/c I got a message from DP saying I need to spread some rep before adding some more to yours. I'll be sure to spread and return here to add your well earned rep!