| standard easy way to set up a registration/logon cookie? [message #176344] |
Mon, 26 December 2011 17:23  |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Someone wants to set up a specialist discussion site: I want to keep it
simple so I don't want to use a pre packaged solution.
Essentially he needs to let users comment on topics, and have some
control over spam and abuse, hence registration and a name/password combo.
But given the technical lack of sophistication of the target audience,
persistent cookies would be a good thing to allow them to stay logged in
indefinitely (or not if the desire)
I'd like to hand out some random cookie when they register, or log in
and stick it in the database, together with a time value which, if they
don't want to 'persist' would be ignored if it was out of date.
Then write a simple PHP module that says 'if the cookie is valid, you
are Joe Bloggs and you can post away' else if not, throw them into a
login/registration screen.
Is 'sessions' any real help here? Or is it just easier to set and
retrieve a cookie at a more basic level?
|
|
|
|
| Re: standard easy way to set up a registration/logon cookie? [message #176345 is a reply to message #176344] |
Mon, 26 December 2011 17:50  |
houghi
Messages: 45
Registered: September 2011
Karma: 0
|
Member |
|
|
The Natural Philosopher wrote:
> Someone wants to set up a specialist discussion site: I want to keep it
> simple so I don't want to use a pre packaged solution.
Simple in layout? Simple in options? Simple in maintanance? Simple in
coding? Simple for the users?
> Essentially he needs to let users comment on topics, and have some
> control over spam and abuse, hence registration and a name/password combo.
I would go for a pre-packaged solution. That would be simple for the
developer. Just turn off anything you do not want or need. When you
start developing from 0, you will at some point in the future be asked
to add X, Y and Z and then you will notice how you need to start over
again, because that specific task is not possible.
> But given the technical lack of sophistication of the target audience,
> persistent cookies would be a good thing to allow them to stay logged in
> indefinitely (or not if the desire)
>
> I'd like to hand out some random cookie when they register, or log in
> and stick it in the database, together with a time value which, if they
> don't want to 'persist' would be ignored if it was out of date.
>
> Then write a simple PHP module that says 'if the cookie is valid, you
> are Joe Bloggs and you can post away' else if not, throw them into a
> login/registration screen.
>
> Is 'sessions' any real help here? Or is it just easier to set and
> retrieve a cookie at a more basic level?
Session cookies are for, uh, sessions. I would just create a semi-random
cookie that is lined to the user. This can be easily (dfrom the users
point of view) be enabled or disabled with "Please keep me logged in" or
something similar. If this is set, the cookie is set, if not it isn't.
You could even link it to the last time logged in and if it is more then
1 week or 1 month ago, logging in is a must.
You could even do it is ASP as this whole thing has not much to do with
php.
houghi
--
This is written under the inluence of the following:
> Artist : Herbert Grönemeyer
> Song : Mass aller Dinge
> Album : Sprünge
|
|
|
|
| Re: standard easy way to set up a registration/logon cookie? [message #176346 is a reply to message #176344] |
Mon, 26 December 2011 21:40 |
Allodoxaphobia
Messages: 21
Registered: September 2010
Karma: 0
|
Junior Member |
|
|
On Mon, 26 Dec 2011 17:23:08 +0000, The Natural Philosopher wrote:
> Someone wants to set up a specialist discussion site: I want to keep it
> simple so I don't want to use a pre packaged solution.
>
> Essentially he needs to let users comment on topics, and have some
> control over spam and abuse, hence registration and a name/password combo.
>
> But given the technical lack of sophistication of the target audience,
> persistent cookies would be a good thing to allow them to stay logged in
> indefinitely (or not if the desire)
>
> I'd like to hand out some random cookie when they register, or log in
> and stick it in the database, together with a time value which, if they
> don't want to 'persist' would be ignored if it was out of date.
>
> Then write a simple PHP module that says 'if the cookie is valid, you
> are Joe Bloggs and you can post away' else if not, throw them into a
> login/registration screen.
>
> Is 'sessions' any real help here? Or is it just easier to set and
> retrieve a cookie at a more basic level?
So, you're expecting (or, demanding?) same computer::same person?
Jonesy
|
|
|
|
| Re: standard easy way to set up a registration/logon cookie? [message #176347 is a reply to message #176344] |
Mon, 26 December 2011 23:00 |
r.mariotti
Messages: 17
Registered: December 2011
Karma: 0
|
Junior Member |
|
|
On Mon, 26 Dec 2011 17:23:08 +0000, The Natural Philosopher
<tnp(at)invalid(dot)invalid> wrote:
> Someone wants to set up a specialist discussion site: I want to keep it
> simple so I don't want to use a pre packaged solution.
>
> Essentially he needs to let users comment on topics, and have some
> control over spam and abuse, hence registration and a name/password combo.
>
> But given the technical lack of sophistication of the target audience,
> persistent cookies would be a good thing to allow them to stay logged in
> indefinitely (or not if the desire)
>
> I'd like to hand out some random cookie when they register, or log in
> and stick it in the database, together with a time value which, if they
> don't want to 'persist' would be ignored if it was out of date.
>
> Then write a simple PHP module that says 'if the cookie is valid, you
> are Joe Bloggs and you can post away' else if not, throw them into a
> login/registration screen.
>
> Is 'sessions' any real help here? Or is it just easier to set and
> retrieve a cookie at a more basic level?
>
You might want to consider looking at what's available as a CMS
specific for forums. You would search network.acquia.com or
drupal.org for plug in solutions.
Just my $.02 worth.
|
|
|
|
| Re: standard easy way to set up a registration/logon cookie? [message #176348 is a reply to message #176346] |
Tue, 27 December 2011 17:47 |
houghi
Messages: 45
Registered: September 2011
Karma: 0
|
Member |
|
|
Allodoxaphobia wrote:
> So, you're expecting (or, demanding?) same computer::same person?
The way you put it, it means "same browser::same person". I would say
that is a reasonable fair expectation for the majority of users.
Especially with something as low-level security as this.
Something like "Keep me logged in" next to a login and password and
re-activated when you select log-out should do the trick. Default must
be off.
Also any changes should then be confirmed by email so hackers can not
change your settings. Should be enough.
houghi
--
This is written under the inluence of the following:
> Artist : Diverse
> Song : John Travolta / You're The One That I Want
> Album : Grease (Soundtrack)
|
|
|
|
| Re: standard easy way to set up a registration/logon cookie? [message #176351 is a reply to message #176346] |
Tue, 27 December 2011 20:49 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
Allodoxaphobia wrote:
> On Mon, 26 Dec 2011 17:23:08 +0000, The Natural Philosopher wrote:
>> Someone wants to set up a specialist discussion site: I want to keep it
>> simple so I don't want to use a pre packaged solution.
>>
>> Essentially he needs to let users comment on topics, and have some
>> control over spam and abuse, hence registration and a name/password combo.
>>
>> But given the technical lack of sophistication of the target audience,
>> persistent cookies would be a good thing to allow them to stay logged in
>> indefinitely (or not if the desire)
>>
>> I'd like to hand out some random cookie when they register, or log in
>> and stick it in the database, together with a time value which, if they
>> don't want to 'persist' would be ignored if it was out of date.
>>
>> Then write a simple PHP module that says 'if the cookie is valid, you
>> are Joe Bloggs and you can post away' else if not, throw them into a
>> login/registration screen.
>>
>> Is 'sessions' any real help here? Or is it just easier to set and
>> retrieve a cookie at a more basic level?
>
> So, you're expecting (or, demanding?) same computer::same person?
>
No.
Just that if that IS the case, then the need to endlessly login is
nullified.
There are few, if any, security implications.
> Jonesy
|
|
|
|
| Re: standard easy way to set up a registration/logon cookie? [message #176352 is a reply to message #176348] |
Tue, 27 December 2011 20:59 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
houghi wrote:
> Allodoxaphobia wrote:
>> So, you're expecting (or, demanding?) same computer::same person?
>
> The way you put it, it means "same browser::same person". I would say
> that is a reasonable fair expectation for the majority of users.
> Especially with something as low-level security as this.
>
> Something like "Keep me logged in" next to a login and password and
> re-activated when you select log-out should do the trick. Default must
> be off.
>
And the 'You are logged in as Jo Bloggers, if this is not the case
please hit the login button' should be easy enough..
> Also any changes should then be confirmed by email so hackers can not
> change your settings. Should be enough.
>
Since there is very little the user CAN* do apart from post blogs its no
big deal if they do get hacked...all the more important admin stuff is
behind another barrier anyway.
>
Yes. It seems setting a single cookie is easy enough with the PHP tools
so that's what I'll do.
Spent all yesterday fine tuning something else anyway.. I finally have a
file upload button that works across all browsers and looks the same in
each. Yay!
AS well as arriving what, in retrospect, I should have guessed: That the
only sans serif font you can reasonably find that is truly cross (most)
platform(s) and looks very similar in all, is Arial.
Many thanks..by the way to all, It looks lie sessions is more than is
needed..a simple cookie suffices.
> houghi
* If I write the rest well enough anyway.
|
|
|
|
| Re: standard easy way to set up a registration/logon cookie? [message #176353 is a reply to message #176347] |
Tue, 27 December 2011 21:06 |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
|
Senior Member |
|
|
r(dot)mariotti(at)fdcx(dot)net wrote:
> On Mon, 26 Dec 2011 17:23:08 +0000, The Natural Philosopher
> <tnp(at)invalid(dot)invalid> wrote:
>
>> Someone wants to set up a specialist discussion site: I want to keep it
>> simple so I don't want to use a pre packaged solution.
>>
>> Essentially he needs to let users comment on topics, and have some
>> control over spam and abuse, hence registration and a name/password combo.
>>
>> But given the technical lack of sophistication of the target audience,
>> persistent cookies would be a good thing to allow them to stay logged in
>> indefinitely (or not if the desire)
>>
>> I'd like to hand out some random cookie when they register, or log in
>> and stick it in the database, together with a time value which, if they
>> don't want to 'persist' would be ignored if it was out of date.
>>
>> Then write a simple PHP module that says 'if the cookie is valid, you
>> are Joe Bloggs and you can post away' else if not, throw them into a
>> login/registration screen.
>>
>> Is 'sessions' any real help here? Or is it just easier to set and
>> retrieve a cookie at a more basic level?
>>
>
> You might want to consider looking at what's available as a CMS
> specific for forums. You would search network.acquia.com or
> drupal.org for plug in solutions.
> Just my $.02 worth.
I might, except for two things.
I can code faster than I can discover how other peoples abortions work.
The amount of probes on my site already looking for proprietary solution
code that isn't there because I haven't installed any leads me to
believe that other peoples' solutions (unless you understand them fully)
are a massive invitation to hackers:
At least this way there is very little I need to guard against beyond
the stock SQL injection attacks and the search for unguarded scannable
directories.
It is the case that as with so many things I have implemented in real
lie, buying someone else's solution and learning how to make it do the
70% of what you want that it is capable of doing, is often more time
consuming than writing the 99% solution yourself.
When trying to make an electric toy van, it ill behoves one to start
with a train set..
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]