» Forums » New to Upwork » Keep me logged in
Page options
Community Member

Keep me logged in

Hi all


Can someone please explain to me how exactly "keep me logged in" works?


Community Member

I don't really think it does, it might just be since I run Linux only and not a PC or Mac.


The concept behind it though, is that when a user chooses to "Keep me logged in" the browser downloads a permissions cookie for the session to store in your temporary internet files or browser cache. This cookie is automatically read by the browser when the site is loaded and your access credentials transmitted in order to continue a session.


Depending on the method employed by UpWork you  have the less secure salty version that looks something like this:



 The better more secure way is to never let a user's information leave the server, except for the id.

When the user logs in and chooses "keep me logged in" it generates a large (128 to 256 bit) random token. The token is a generated number.

To show how absurdly large that number is, let's imagine every server on the internet (let's say 50,000,000 today) trying to brute-force that number at a rate of 1,000,000,000 per second each. In reality, your servers would melt under such load, but let's play this out.

guesses_per_second = servers * guesses
guesses_per_second = 50,000,000 * 1,000,000,000guesses_per_second = 50,000,000,000,000,000

So 50 quadrillion guesses per second. That's fast! Right?

time_to_guess = possibilities / guesses_per_second
time_to_guess = 3.4e38 / 50,000,000,000,000,000time_to_guess = 6,800,000,000,000,000,000,000

So 6.8 sextillion seconds...

Let's try to bring that down to more friendly numbers.

215,626,585,489,599 years

Or even better:

47917 times the age of the universe

Yes, that's 47917 times the age of the universe...

Basically, it's not going to be cracked.

So to sum up:

This is how the code looks for what is how a "keep me logged in" function works,

function onLogin($user) {    $token = GenerateRandomToken(); // generate a token, should be 128 - 256 bit    storeTokenForUser($user, $token);    $cookie = $user . ':' . $token;    $mac = hash_hmac('sha256', $cookie, SECRET_KEY);    $cookie .= ':' . $mac;    setcookie('rememberme', $cookie);

Then, to validate:

function rememberMe() {    $cookie = isset($_COOKIE['rememberme']) ? $_COOKIE['rememberme'] : '';
    if ($cookie) {        list ($user, $token, $mac) = explode(':', $cookie);
        if (!hash_equals(hash_hmac('sha256', $user . ':' . $token, SECRET_KEY), $mac)) {
            return false;
        }        $usertoken = fetchTokenByUserName($user);
        if (hash_equals($usertoken, $token)) {            logUserIn($user);

 It's all pretty simple and completely useless if your browser is set to clear out temp data whenever you close the browser, for security reasons I would suggest never to use the function since the MD5 method is the most common and incredibly easy to crack.


I sure hope that helps


Latest Articles
Upcoming Events
Jun 25
Crafting Your Compelling Story
Talent Toolbox English
Featured Topics
Learning Paths