Login Script

[muuucho]

Hi everybody. Anyone thinking about adding a checkbox named "Remember me" that is shown after a correct login? So that the user is automatically logged in when entering the page.

I guess it has do something about setting a cokie on the users PC that never expires and then tell the database that this cookie shall login the user

 

This could be convinient on sites with lower security demands.

[Jonathon]

Hello muucho,

 

Not quite, it does set a cookie, but an expiration date that never expires isn't great programming in my eyes. You'd be better of setting it for 1 week or 1 month and then when the person logs backs in the cookie is refreshed.

 

Most browsers have facilitie to remember your passwords so "remember me" cookies are kinda becoming obselete in my opinion.

[Larry]

I don't think it's possible to set a cookie that never expires. If you set no expiration date, then the cookie only lasts as long as the current browser session. It's just a cookie with a long expiration.

 

And I agree with Jonathon about the need. I've never felt that they are all that necessary, but some people still expect them, I guess.

[muuucho]

Thank you both. It's fine for me to set cookie to expire after let's say 3 weeks.

So, if you log in you'll get a cookie that expires after a while (depending on some Apache settings or some setting in a .ini-file?)

 

A session sets a cookie in the users computer, right? Can I use the same cookie but add expiration info?

 

Can you hint how to do if I want to add a rembember me checkbox (maybe a button is better since we do server side code?)

 

Best regards, muuucho, Sweden

[Jonathon]

use a checkbox to "remember you". Then validate all your inputs like you would normally.

 

If there are no errors, check for the "remember me box", if it's checked then set the username and password in 2 cookies ($_COOKIE['username']) and add an expirary time.

 

You should really use SHA hashes of the cookies as they are not safe.

 

There are a lot of articles and fuller resources on this. I'm just giving you a starting block.

[muuucho]

OK, thanks Jonathon & Larry!

I already found some sites about the issue, I think that it will work!

http://www.evolt.org/node/60265

www.phpnerds.com/article/using-cookies-in-php

BR muuucho

[Larry]

I'm skeptical about the idea of storing the password and username (i.e., the login info) in a cookie, in a hashed version or not. I'd be inclined to do this... When the user logs in, if the "Remember Me" box is checked, add a random hash to a column in the users table. Then, when they return, the system can check for that stored hash. For added security, you could also store the hash of the username (or whatever) in a cookie, but I wouldn't store the password. You should also salt the hashes, to be safe.

[muuucho]

what about this:

 

 

session_set_cookie_params(1200);

session_start();

 

Doesn't this keep you logged in for 20 minutes?

If I just add something like:

 

if ("remember me for 20 minutes" is checked){session_set_cookie_params(1200);}

session_start();

[Jonathon]

I'm skeptical about the idea of storing the password and username (i.e., the login info) in a cookie, in a hashed version or not. I'd be inclined to do this... When the user logs in, if the "Remember Me" box is checked, add a random hash to a column in the users table.

 

Yes, I never thought of that.

 

what about this:

 

 

session_set_cookie_params(1200);

session_start();

 

Doesn't this keep you logged in for 20 minutes?

If I just add something like:

 

if ("remember me for 20 minutes" is checked){session_set_cookie_params(1200);}

session_start();

 

That is 20 minutes but why would you want such a short cookie expirary time?

[muuucho]

Jonathon: Simply beacurese I was to lazy to calculate how many sec there are in one week. It should of course have been 60*60*24*7.

 

But if I close my browser and then come back I'm kicked out if my brake is longer than approx say 2 minutes.

[Larry]

Yeah, if you want a long-term "remember me" feature, you have to use cookies. Sessions only last for a short time, by default.

[muuucho]

Hi again. i've done it like this, does it seams OK in your eyes?

 

If remember me is checked the script generates a random number to wich I add salt and then hash it. (By the way, does it do any good to security to add salt or hash it?) It's then stored as a cookie in the users browser and in a new column "cookies" in table "users".

 

I have set the cookie to 4 weeks.

 

If the user returns to the page within this time the loginscript look for the cookie and compares is to all values in the column in the users tables cookies. It finds a match and set the users sessiondata like when an ordinary login attempt is carried out. Also it gives a new 4 weeks to the cookie.

 

Best Regards, muuucho

[Larry]

That's excellent and thanks for sharing. One change I'd make is use PHP's uniqid() function to create a unique identifier, which is then stored in the cookie and the session. That'd be better than salting and hashing a number.