I am new to the backend and I don’t know much about it. I make a small layout of the site, so for experience and practice. I want to automatically authorize users after exiting the browser and similar situations. You can, of course, write the password and login in cookies and check them with the database, but I want to delve a little into security. A hashed password is also not the most reliable thing, as I understood. Through a search on the Internet, either choked on terminology or found the same solutions.

For starters, I wanted to get around the situation with simply copying cookies to another device. Use session is not an option, because it is removed (although I may not know something). You can write to the cookie is not a login-password, but a token. But it can also be copied. Judging by the same articles from the Internet, it is also bad to ip to ip, because it can change. As an option - to save some kind of token and periodically change it. But in this case, the authorization can be done only on one device, but I want to not. So how can this be realized?

  • Just use sessions, they are eternal. - singlesly
  • @singlesly, isn’t the session deleted after exiting the browser? - Alex Chashin
  • It seems that until you log out you make it hang. - singlesly

1 answer 1

The answer is too long for comments was, I will write here. Keeping login and password in cookies is a really bad idea. As an option, the user retains a random token and, possibly, a login (encrypted), in the database login / token / IP / information about the browser. To make IP an optional parameter when checking, and everything else is a required match, each device will have its own token, even if it has the same login, this will give a good level of security. At least, by simply copying cookies, it won't work. And then the additional verification options are at your discretion.

Link to the site where create a similar registration system

  • And if each device has its own token, and their number is unlimited, then how to save it in the database? There are no arrays like that - Alex Chashin
  • Separate entries. If you have 3 devices logged into your account, they will have 3 different tokens, and there will be 3 different entries in the database. Do not combine them. They will be easier to delete when leaving the account on any of the devices, and search in the database. - NTP
  • Hmm, how do you keep them in the database? Creating a separate column for each token is not an option, but more than that, nothing comes to mind. In a separate table, then, too, will have to create columns. The only thing is if, when loading, you get a string with tokens from a database, break it into an array, work with these arrays, and then save it to a string in database again, but can there be something simpler? - Alex Chashin
  • And, I have just come up with the idea that it is possible to write tokens and SP addresses in separate lines in a separate table under one id, does it work like this? - Alex Chashin
  • Get, break, save, too long. When I implemented, I created a separate table, with token / login / IP / browser columns. Without binding to id (if you are about user id in another table, then it can be so), because there the data will constantly change. If you are afraid of matches, they will not be there, all strings will be unique in at least one parameter. The rows in the table will be independent. Even if they all will be the same account, just with tokens from different devices. - NTP