Revision [3321]
This is an old revision of StayingLoggedIn made by NilsLindenberg on 2004-12-16 16:01:05.
Staying logged-in
The log-in information is stored in a cookie which expires after 90 days. This is quite comfortable but could be a security risk, if you forget to logout in a i-net caffè ort on a pc used by many people.To be loged-out when you close the browser, change in wikka.php
function SetUser($user) { $_SESSION["user"] = $user; $this->SetPersistentCookie("name", $user["name"]); $this->SetPersistentCookie("password", $user["password"]); }
to
function SetUser($user) { $_SESSION["user"] = $user; $this->SetSessionCookie("name", $user["name"]); $this->SetSessionCookie("password", $user["password"]); }
Perhaps that should be the default and the user should have an "always loged-in" setting?
NilsLindenberg
This is much more secure yet I think that this should be the user decision to keep the cookie or not through the UserSettings: maybe another field in the wikka_users table?
--ChristianBarthelemy
I agree - it's quite common to give a (registered) user a choice between a session cookie and a permanent cookie; such a choice should of course be stored in the user profile in the database. For unregistered visitors only session cookies should be used. --JavaWoman
- unregistered users need no cookie, because they neither have a username nor a password. :-) NilsLindenberg
I stuck some piece of code together. I know that stay_loged_in is a very uncreative name (loged-in with one or two g?), and the code needs someone to look over it. I am for example not sure if an enum in the table would be better. But to my great astonishment, it seems to work. :) --NilsLindenberg
1) adding field to user table:
SQL-query:
ALTER TABLE `wikka_users` ADD `stay_loged_in` TINYINT DEFAULT '0' NOT NULL ;
2)adding a to show the status of the variable (to actions/usersettings.php after the block with
<tr>
<td align="right">Stay loged-in:</td>
<td><input name="stay_loged_in" value="<?php echo htmlspecialchars($user["stay_loged_in"]) ?>" size="40" /></td>
</tr>
3) added the user-table-update in actions/usersettings.php:
change:
$this->Query("update ".$this->config["table_prefix"]."users set ".
"email = '".mysql_real_escape_string($_POST["email"])."', ".
"doubleclickedit = '".mysql_real_escape_string($_POST["doubleclickedit"])."', ".
"show_comments = '".mysql_real_escape_string($_POST["show_comments"])."', ".
"revisioncount = '".mysql_real_escape_string($_POST["revisioncount"])."', ".
"changescount = '".mysql_real_escape_string($_POST["changescount"])."' ".
"where name = '".$user["name"]."' limit 1");
"email = '".mysql_real_escape_string($_POST["email"])."', ".
"doubleclickedit = '".mysql_real_escape_string($_POST["doubleclickedit"])."', ".
"show_comments = '".mysql_real_escape_string($_POST["show_comments"])."', ".
"revisioncount = '".mysql_real_escape_string($_POST["revisioncount"])."', ".
"changescount = '".mysql_real_escape_string($_POST["changescount"])."' ".
"where name = '".$user["name"]."' limit 1");
to
$this->Query("update ".$this->config["table_prefix"]."users set ".
"email = '".mysql_real_escape_string($_POST["email"])."', ".
"doubleclickedit = '".mysql_real_escape_string($_POST["doubleclickedit"])."', ".
"show_comments = '".mysql_real_escape_string($_POST["show_comments"])."', ".
"revisioncount = '".mysql_real_escape_string($_POST["revisioncount"])."', ".
"changescount = '".mysql_real_escape_string($_POST["changescount"])."', ".
"stay_loged_in = '".mysql_real_escape_string($_POST["stay_loged_in"])."' ".
"where name = '".$user["name"]."' limit 1");
"email = '".mysql_real_escape_string($_POST["email"])."', ".
"doubleclickedit = '".mysql_real_escape_string($_POST["doubleclickedit"])."', ".
"show_comments = '".mysql_real_escape_string($_POST["show_comments"])."', ".
"revisioncount = '".mysql_real_escape_string($_POST["revisioncount"])."', ".
"changescount = '".mysql_real_escape_string($_POST["changescount"])."', ".
"stay_loged_in = '".mysql_real_escape_string($_POST["stay_loged_in"])."' ".
"where name = '".$user["name"]."' limit 1");
4) replace the function SetUser in wikka.php with the following one:
function SetUser($user)
{
$_SESSION["user"] = $user;
if ($user["stay_loged_in"])
{
$this->SetPersistentCookie("name", $user["name"]);
$this->SetPersistentCookie("password", $user["password"]);
}
else
{
$this->SetSessionCookie("name", $user["name"]);
$this->SetSessionCookie("password", $user["password"]);
}
}
{
$_SESSION["user"] = $user;
if ($user["stay_loged_in"])
{
$this->SetPersistentCookie("name", $user["name"]);
$this->SetPersistentCookie("password", $user["password"]);
}
else
{
$this->SetSessionCookie("name", $user["name"]);
$this->SetSessionCookie("password", $user["password"]);
}
}
Might I suggest moving this code/topic to its own page and adding it to CodeContributions. I think it's a useful little add-in and should have its own place now that there's a bit of a solution for the issue. Well done Nils. -- Mike (GmBowen)
Thank you. But seems like you get to like the different issue-different page think ;-) --NilsLindenberg
CategoryDevelopment