"Remember me" checkbox creates cookie

wkilc

Hi all,

I'm most definately a newbie so please speak slowly. 🙂

Thanks to help from this forum, I've set up a member authentication sysetm using PHP sessions. Works like a charm. Would it be difficult to add a HTML "Remember Me" checkbox to the form that would (I think) set a cookie to allow folks to stay logged in semi-permanantly? (Kind of like phpbuilder does... I don't have to login at each visit... helpful for those that access my site from their home computer where there are no other users to worry about.) In other words, when the member page is callled for, aside from checking for valid session, the cookie is checked, and if it exists, the login page is bypassed. As of now, the session cookie is destroyed when the browser is closed or the logout button is clicked.

Here is my login script:

<?php
session_set_cookie_params (0, '/', '.domain.com');

session_start();

MySQL_connect("localhost", '*****', '*****'); MySQL_select_db("members");


$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {

$userId   = $_POST['txtUserId'];
$password = $_POST['txtPassword'];

// check if the user id and password combination exist in database
$sql = "SELECT user_id
        FROM members
        WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result) == 1) {
    // the user id and password match,
    // set the session
    $_SESSION['logged_in'] = true;

    // after login we move to the main page
if ($_GET['redir']) {
header('Location: '.$_GET['redir']); 
}   else  {
        header('Location: welcome.php'); 
    exit;
    }
} else { 
    $errorMessage = 'Sorry, not a valid MENC number/first name combination - please see below'; 
} 
}
?>

Here is my login form:

<form method="post" name="frmLogin" id="frmLogin">
<TABLE class="Inner">   

<TR><TD ALIGN="Right"><b>MENC Number</b>:</TD><TD ALIGN="Left"><input name="txtUserId" type="text" id="txtUserId" size="20"></TD></TR>
<TR><TD ALIGN="Right"><b>First Name (no CAPS!)</b>:</TD><TD ALIGN="Left"><input name="txtPassword" type="password" id="txtPassword" size="20"><TD></TR>
<TR><TD>&nbsp;</TD></TR>
<TR><TD ALIGN="Right">&nbsp;</TD>
<TD ALIGN="Left"><input type="submit" name="btnLogin" value=".:: Login ::."></TD></TR>
</TABLE>
</form>

Thanks for reading,

~Wayne

LoganK

If remember me is checked, write a cookie to the users machine containing their information. That cookie will stay across sessions, depending on the expiration you set for it.

wkilc

Thank you!

I had a feeling that was the way to go... but the problem is that I don't know how to go about it. Any (specific) samples or tutorials someone could point me at?

I did find this tutorial...

...but I'm not sure how to apply it to what I have. Besides, I'm not sure if I want to actually store the username and password... just someone keep the "session" alive indefinately.

Perhaps this is too much for a newbie?

Thanks again.

~Wayne

Roger_Ramjet

Not possible to keep the 'session' alive. If there are settings or other session data that you want to preserve then you'll have to store them somewhere and reset the session vars once they return.

wkilc

Nope, there are no other session variables to keep alive.

Sorry... I knew when I typed it that I wasn't using the right termionology, hence the quotes:

keep the "session" alive indefinately

It would simply keep the user logged in past the end of the session, for the future visits to the site.

I'm going to give up on this for now... it seems I don't have the coding skills to "make it so".

Thanks anyway.

~Wayne

LoganK

Even if you were to keep the user logged in, it'd create a security risk. What you might want to do is if they check the "Remember Me" box, then write a cookie containing the user's name and some sort of unique value (like a randomly-generated key). Store a duplicate of that key in a DB. Then, when they come back, check the name and the key. If the key matches, set all your session variables to true (or logged in, or however you do it). However, I would reccomend that after X number of days/hours/minutes/etc., prompt them to re-type their password, to make sure that they are still there and it's not someone who started using their computer when they walked away.

wkilc

Hi again,

Stubborn guy that I am... I'm continuing...

I've added this to the login script.

   if(isset($_POST['remember'])){
      setcookie("remember", $_SESSION['logged_in'], time()+60*60*24*100, "/");
   }

And this to the login form:

<input type="checkbox" name="remember">
<font size="2">Keep me logged in</font>

... I know there's still stuff missing... but I have no idea where to go from here.

~Wayne

LoganK

A) What is the value of $_SESSION['logged_in']?

😎 Instead of checking whether the checkbox variable is set, check to see if it equals something. Like put a "value='yes'" in the checkbox, and check to see if it $_POST['remember'] == "yes". That's a bit more secure.

Other than that, that's the right start. Now, in your pages, check to see if the cookie exists, if so, log them in, if not, prompt for a user/pass.

wkilc

Thanks... but still not working. There is no cookie created when the box is checked, only the normal session cookie which expires when the browser is lcosed.

I've now got a login script:

<?php

session_set_cookie_params (0, '/', '.domain.com');

session_start();


MySQL_connect("localhost", '******', '*******'); MySQL_select_db("members");


$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {

$userId   = $_POST['txtUserId'];
$password = $_POST['txtPassword'];

// check if the user id and password combination exist in database
$sql = "SELECT user_id
        FROM members
        WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result) == 1) {
    // the user id and password match,
    // set the session
    $_SESSION['logged_in'] = true;

    // after login we move to the main page
if ($_GET['redir']) {
header('Location: '.$_GET['redir']); 
}   else  {
        header('Location: welcome.php'); 
    exit;
    }
} else { 
    $errorMessage = 'Sorry, not a valid MENC number/first name combination - please see below'; 
}
   if($_POST['remember'] == "yes"){
      setcookie("cookname", $_SESSION['logged_in'], time()+60*60*24*100, "/");
   }

   /* Quick self-redirect to avoid resending data on refresh */
   echo "<meta http-equiv=\"Refresh\" content=\"0;url=$HTTP_SERVER_VARS[PHP_SELF]\">";
   return;
} 
?>

And a login form:

<form method="post" name="frmLogin" id="frmLogin">
<TABLE class="Inner">   

<TR><TD ALIGN="Right"><b>MENC Number</b>:</TD><TD ALIGN="Left"><input name="txtUserId" type="text" id="txtUserId" size="20"></TD></TR>
<TR><TD ALIGN="Right"><b>First Name (no CAPS!)</b>:</TD><TD ALIGN="Left"><input name="txtPassword" type="password" id="txtPassword" size="20">
<input type="checkbox" name="remember" value="yes">
<font size="2">Remember me next time</font><TD></TR>
<TR><TD>&nbsp;</TD></TR>
<TR><TD ALIGN="Right">&nbsp;</TD>
<TD ALIGN="Left"><input type="submit" name="btnLogin" value=".:: Login ::."></TD></TR>
</TABLE>
</form>

~Wayne

LoganK

Sorry if I seem a bit overjoyed at your newbie-ness, but I love it when programmers make this kind of mistake. And don't be ashamed - I did it too a few times! Your logic states that if the user's user/pass are correct, to redirect them to the main page with a header() command. However, your "set cookie" if remember function is written after the header command!!! You need to move it before you use header(), but after you validate the user and pass.

wkilc

Thank you LoganK! I'll have a go at fixing it. But something else just occured ot me.

Membership in my organization lasts for 12 months, renewal is then required. Most members always renew annualy... I update the login profiles the first of each month.

It someone were to expire, the cookie would alow them accesss to the memeber's stuff, even after the profile was removed. (I think.)

Aside from keeping a shorter cookie life, anyone see a decent work-around? If I were to store the username in the cookie and check that against the profiles in the DB, then I'd have to connect to the DB on each and every member page that checks for login status. Is that a good idea?

Then, of course, I'm not sure exactly to to modify the cookie accordingly.

Thanks.

~Wayne

LoganK

On whatever page you check for the cookie, you then use the cookies details to look up your member's data in the database. If it's not expired, let them in; if they are expired, then delete the cookie. Once the cookie is deleted, the other pages in turn will not look up the user info.

wkilc

Back to the first problem... moved "setcookie" up to before the header redirect... still no cookie is set, so I guess that's not my only issue.

<?php

session_set_cookie_params (0, '/', '.domain.com');

session_start();

MySQL_connect("localhost", '*****', '******'); MySQL_select_db("members");


$errorMessage = '';
if (isset($_POST['txtUserId']) && isset($_POST['txtPassword'])) {

$userId   = $_POST['txtUserId'];
$password = $_POST['txtPassword'];

// check if the user id and password combination exist in database
$sql = "SELECT user_id
        FROM members
        WHERE user_id = '$userId' AND user_password = PASSWORD('$password')";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error());
}

   if($_POST['remember'] == "yes"){
      setcookie("cookname", $_SESSION['logged_in'], time()+60*60*24*100, "/");

if (mysql_num_rows($result) == 1) {
    // the user id and password match,
    // set the session
    $_SESSION['logged_in'] = true;

    // after login we move to the main page
if ($_GET['redir']) {
header('Location: '.$_GET['redir']); 
}   else  {
        header('Location: welcome.php'); 
    exit;
    }
} else { 
    $errorMessage = 'Sorry, not a valid combination - please see below'; 
} 
}
?>

Thanks.

~Wayne

LoganK

I don't know what session_set_cookie_params does, so I can't help you any further. Sorry.

wkilc

LoganK... thanks for being patient with me... I've cleaned up my stuff and now I am able to set a cookie with the user (username) stored. (I believe.)

<?php

   /* Username and password correct, register session variables */
   $_POST['user'] = stripslashes($_POST['txt_user']);
   $_SESSION['user'] = $_POST['txt_user'];

   if(isset($_POST['remember'])){
      setcookie("cookname", $_SESSION['user'], time()+60*60*24*100, "/"); 

?>

My PHP header for my previous protected pages, that checked for an active session, looked like this:

<?php
session_set_cookie_params (0, '/', '.domain.com');
session_start();

if($logged_in){
    }else{
    // not logged in, move to login page
    header('Location: login.php?redir='.$_SERVER['PHP_SELF']); 
    exit;
}
?>

I believe I want it to first check for the "cookname" cookie, if it's there, check the cookie's "user" against the users in the DB, and then let them in or send them back to the login page.

But I also need to keep the standard session working (those who have not opted to use the "Remember Me" cookie.)

Can someone possibly show me how to modify the PHP header that I have above to do this?

Thank you.

~Wayne

LoganK

Right after you check to see if the the user is logged in, check for the cookie, look at the value, see if it's in the DB, and if it is, good, if not, send them to the login.

wkilc

I'm still pluggin away... I'm very close after extensive trial and error... can someone tell me how to combine these two bits of header code? They both work independently but every attempt to combine them into one PHP header has failed me.

Checks for active session, let's 'em in or boots them back to login if there's no session:

<?php
session_set_cookie_params (0, '/', '.rimea.org');
session_start();

if($logged_in){
    }else{
    // not logged in, move to login page
    header('Location: login.php?redir='.$_SERVER['PHP_SELF']); 
    exit;
}
?>

For those that have selected "keep me logged in"... checks for cookie, verifies cookie against DB, destroys the cookie if the user is no longer in DB:

<?php
session_set_cookie_params (0, '/', '.rimea.org');
session_start();

MySQL_connect("localhost", '********', '*******'); MySQL_select_db("users");

$_SESSION['user'] = $_COOKIE['cookname'];

$sql = "SELECT user
        FROM users
        WHERE user = '$user'";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result) == 1) {
    // the user id is verified,
    // set the session
    $_SESSION['logged_in'] = true;

   }else{

     /* Variables are incorrect, user not logged in */
     unset($_SESSION['user']);

}
?>

Thank you.

~Wayne

wkilc

I'm still plugging away at this over a week later... I am looking or help with my current code... I understand the logic of what I want to do just fine... but I'm piecing the code together from reading various sources:

The logic for what's below is thus: If a "keep me logged in" cookie has been set previously and the PHP header on this protected page is checking to see if the cookie exists... then verifies the user name against the DB, and either allows the user access to the page OR destroys the cookie and bumps them back to the login page:

<?php
session_set_cookie_params (0, '/', '.rimea.org');
session_start();

MySQL_connect("localhost", '******', '******'); MySQL_select_db("users");

if (isset($_COOKIE['cookname'])) {      

   $_SESSION['user'] = $_COOKIE['user'];
}

   $user   = $_SESSION['user'];

$sql = "SELECT user
        FROM users
        WHERE user = '$user'";

$result = mysql_query($sql) or die('Query failed. ' . mysql_error());

if (mysql_num_rows($result) == 1) {
    // the user id is verified,
    // set the session
    $_SESSION['logged_in'] = true;

   }else{

     /* Variables are incorrect, user not logged in */
    unset($_SESSION['user']);
	header('Location: login.php?redir='.$_SERVER['PHP_SELF']); 
	exit;
}
?>

What's actually happening (and I'm sure there's a good reason... but I am a Noo😎 is that I'm being kicked back to the login page, even when the cookie is present.

My orginal "check for session login" header worked just fine... but I'm trying to add the "keep me logged in" with cookie feature.

Orginal PHP "check for login session" header, which works fine for standard sessions:

<?php
session_set_cookie_params (0, '/', '.rimea.org');
session_start();

if($logged_in){
    }else{
    // not logged in, move to login page
    header('Location: login.php?redir='.$_SERVER['PHP_SELF']); 
    exit;
}
?>

Any help would be appreciated. Thank you.

~Wayne