One of my customers needed the ability to allow shoppers to login to the osCommerce shop and then stay logged in for 24 hours. There are some half thought out addons, all out of date and/or insecure.
I proposed a new way to do things;
1. Have a “remember me” checkbox on the login form
At this point, whilst logging in the customer can tick the box or not. If not, everything is as is as in a normal osCommerce shop. Let’s assume they ticked the box…what happens;
2. A 24 hour cookie is set, which contains a code specific to that customer
3. That code is saved into a database table along with some other information
4. Code looks for the cookie parameters and auto-logs the customer in if the parameters allow it
Easy, simple, secure. NO CORE CODE CHANGES!
Then my customer decided that logged in customers should have a 4 hour timeout when accessing certain areas of the site – checkout, account functions and so on. This gives an extra layer of security…
To enable this, I coded up a really cool system – which looks up the cookie parameters, sees it is over 4 hours old and then produces a modal overlay containing a password form field. Wrong password => no access. Correct password => carry on.
Easy, simple, secure. NO CORE CODE CHANGES!
All this was done with the Hook system, so just a few lines of hook calls to add to certain files. Super simple, super effective and allows customers to browse all day with no logoff (which is incredibly annoying as we all know).