Post by Andaho » Sun Dec 08, 2013 7:11 am

In OpenCart, why is there no option for the customer to "Stay logged in", "Remember me" or "Log me on automatically each visit"? - Almost every other store I can think of has this feature?

I found a couple of extensions that do this:

http://www.opencart.com/index.php?route ... n_id=10567

http://www.opencart.com/index.php?route ... n_id=13372

But there is such limited information available on these extensions, and such low ratings.

New member

Posts

Joined
Wed Jul 10, 2013 4:15 am

Post by butte » Mon Dec 09, 2013 7:55 am

Staying logged into an admin area whether you are there or not is not ideal security. If you stay logged in, it knows you are there unless you try going in twice in the same browser session (as admin or also as customer) or do something dreadful to your cookie. If you are not logged in, it knows your user/pass and will give you a new cookie. Your BROWSER can be told to remember the user/pass and to insert it when you arrive. The usual "remember me" typically means that your address is remembered by the server and if YOU change machines, then you must suffer a song and dance routine and a pony show in order to get back in, again.

Extensions for purposes you raised are probably of limited use and value anyway for practical and security reasons. Low ratings usually do not bode well for extensions.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Andaho » Wed Dec 11, 2013 3:00 pm

I'm worried that these extensions will store the user email and password as a cookie on the customer's computer - which wouldn't be secure at all...

As for storing passwords in the browser, I don't believe in that practise, and as an IT Techie, I highly recommend nobody does it: Some viruses are written specifically for retrieving browser saved passwords and other saved form info (including full name and address, credit card numbers etc... - opening you up, not only to basic fraud, but even identity theft!) - therefore not secure. Some people may argue "just use a good anti-virus and keep the virus definitions up to date" - No anti-virus can detect every virus out there. And before a definition can be written for a virus, the AV company has to first come across it and analyse it.

As far as I'm aware, other sites, such as this phpBB forum for example (or any other shopping site like Amazon), don't store the username/password in the cookie, just a unique ID hash for the server to remember you:

From googling 'how to store login info in a cookie', the hash should be made up of:
1) Something they know that you don't know (password, or part of the password)
2) Something you know that they don't know (auto-generated hash stored in their user table, the microtime of their signup time, etc)
3) A fixed salt that no user knows.

I'm very careful when it comes to my own security and personal information, but I intend to be even more careful with my customers info... But I still believe in convenience for my customers, so I'd like a "remember me" checkbox on my store, just like the one on this forum.

I've just looked at all the online shops in my bookmarks, and ALL of them remember my login... But opencart breaks the convenience myself and other customers are used to. Why?

Why is this basic function missing? - How can I add it (securely)?

New member

Posts

Joined
Wed Jul 10, 2013 4:15 am

Post by butte » Thu Dec 12, 2013 3:15 am

Basic functionality is not missing. The token system is meant not to be lax, let alone for mere convenience. You're asking for a safe way to poke holes in it. You can tell WHETHER extensions send log-ins into cookies by reading the extensions' own innards.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Andaho » Thu Dec 12, 2013 5:17 am

butte wrote:Basic functionality is not missing.
I think you misunderstand.... every other site I know that uses a login, allows the user credentials to be 'remembered'... This forum is no exception. - If EVERY other website I know uses it, how is it not basic functionality?

As a metaphor:

I expect my car radio to remember the station I was tuned into, and to remember the preset buttons I have programmed... If I had to retune the radio every time I got in the car, I'd be pissed off, and consider the car radio to be missing basic functionality.
butte wrote:The token system is meant not to be lax, let alone for mere convenience. You're asking for a safe way to poke holes in it. You can tell WHETHER extensions send log-ins into cookies by reading the extensions' own innards.
I'm not asking for a safe way to poke holes in anything... session cookies are separate from persistent cookies.

I cannot check what the extensions do before purchasing them - however, I did get an email response from one, and they stated it stores the user email and password in the cookie - so that' a definite no go, and not only deserves 0/5 stars, but should be deleted for being so insecure.

But, I guess I'm just having a rant here :( I guess the only way I can get this 'basic functionality' is if I pay a programmer to write an extension for me :-\ And that's not an option, so I guess I'll just have to live with it.

New member

Posts

Joined
Wed Jul 10, 2013 4:15 am

Post by Qphoria » Thu Dec 12, 2013 5:43 am

Andaho wrote:I'm worried that these extensions will store the user email and password as a cookie on the customer's computer - which wouldn't be secure at all...
Why? That is what ALL sites do that have this option. Usually the browser offers the option to store the full details, but for sites that have the checkbox to offer to save username, they are just using a cookie. They have no other way to know who you are without that cookie. Cookies are harmless and safe, but you should only be using cookies that save user id on private computers.

Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Andaho » Thu Dec 12, 2013 6:50 am

Qphoria wrote:
Andaho wrote:I'm worried that these extensions will store the user email and password as a cookie on the customer's computer - which wouldn't be secure at all...
Why? That is what ALL sites do that have this option. Usually the browser offers the option to store the full details, but for sites that have the checkbox to offer to save username, they are just using a cookie. They have no other way to know who you are without that cookie. Cookies are harmless and safe, but you should only be using cookies that save user id on private computers.
From what I understand, that way is unsecure, and I don't think anywhere respectable would do that... I believe they save a unique hash that identifies the user, not the actual form field entries of the user email and password... for example, I have a cookie from forum.opencart.com with a random name (maybe this is my identifier, maybe it's a different one) that contains the value "ae295847264ed08af5ed06e10fede60e" (I changed a few numbers to prevent mis-use). On Amazon and Google the cookie is a much longer string of randoms... On my store, I see 2 cookies: "currency: GBP" and "language: en" - in plain text - it wouldn't be secure to have a username and password saved in plain text...

Here is a question with a relevant top answer on the issue: http://security.stackexchange.com/quest ... ember-me-l

New member

Posts

Joined
Wed Jul 10, 2013 4:15 am

Post by Qphoria » Thu Dec 12, 2013 10:25 pm

Andaho wrote:
Qphoria wrote:
Andaho wrote:I'm worried that these extensions will store the user email and password as a cookie on the customer's computer - which wouldn't be secure at all...
Why? That is what ALL sites do that have this option. Usually the browser offers the option to store the full details, but for sites that have the checkbox to offer to save username, they are just using a cookie. They have no other way to know who you are without that cookie. Cookies are harmless and safe, but you should only be using cookies that save user id on private computers.
From what I understand, that way is unsecure, and I don't think anywhere respectable would do that... I believe they save a unique hash that identifies the user, not the actual form field entries of the user email and password...
ok so it may not be saved in plaintext, but the logistics is still based on a cookie. Most likely some basic base64 encoding done to it but easily reversible.

I just tried on Sprint.com which is the number cell phone carrier in USA and I checked the box for "save username" and then when I look at the cookies I can see it is plaintext along with other info: (attached)

While maybe not the best idea to store it as plaintext, the security threat is rather low. It doesn't store password.

Attachments

sprint_cookie.jpg

sprint_cookie.jpg (114.73 KiB) Viewed 1765 times


Image
Donate!|OpenCart Basics|GeoZones
Image


User avatar
Administrator

Posts

Joined
Tue Jul 22, 2008 3:02 am

Post by Andaho » Fri Dec 13, 2013 2:32 am

Hmm, yes, well functionality for the username to be remembered would be cool... But for it to prompt for your password when trying to access the checkout or account info pages.

If you can make a mod for that I'll buy it :)

New member

Posts

Joined
Wed Jul 10, 2013 4:15 am

Post by Andaho » Mon Mar 17, 2014 2:30 am

Andaho wrote:Hmm, yes, well functionality for the username to be remembered would be cool... But for it to prompt for your password when trying to access the checkout or account info pages.

If you can make a mod for that I'll buy it :)
Bump, is there anything like this that exists? - I'd still like it.

New member

Posts

Joined
Wed Jul 10, 2013 4:15 am

Post by butte » Wed Mar 19, 2014 11:40 pm

Perhaps you're seeing plain text names and such owing to OS or browser settings. In OC, forum, telco, bank, etc., with Firefox (any version), I see only gibberish cookies whose purpose is to bridge, in gibberish, between what the server knows and what my machine and I know in plain English about accounts. Browser choice may matter. In addition to other reasons for disliking both IE and Chrome, both of them stuff cookies everywhere, in their mouths, pockets, and underwear, under the rugs and in closets and pantries, where eradicating all of their cookies requires maneuvering at the command line to expunge those there. Firefox puts cookies in one place, permits me to allow only session cookies and no third party (marketeer) cookies, and expunges them when told to do so at intervals and upon exiting. Since eradicating cookies reverses conspicuous slowdowns, it does appear that many cookies cause conspicuous slowdowns, so partly for that I clear them frequently.

If OC is prompting for log-in while a customer is already logged in, then perhaps the customer has either interrupted the session in the browser or exited and reentered the browser or used two browsers or the like. If OC is prompting for log-in while a customer already has a bona fide, current, active session, then something isn't right.

Guru Member

Posts

Joined
Wed Mar 20, 2013 6:58 am

Post by Andaho » Fri Mar 28, 2014 9:27 am

butte wrote:...If OC is prompting for log-in while a customer already has a bona fide, current, active session, then something isn't right.
Oh no, it's not timing out during a session. I'm just a little disappointed the feature to at least remember a user's email address is missing. And I can't find an extension to do it either - as I said above, there are a few extensions for "remember me", but it looks like they all save the email and password in a cookie - which isn't secure.

New member

Posts

Joined
Wed Jul 10, 2013 4:15 am
Who is online

Users browsing this forum: No registered users and 60 guests