[RESOLVED] "Remember Me(session)" several ways! Which one?

execute

Hey, i know maybe lots of people might have brought this up however i haven't found any good threads about it etc.

I use to use a login script which would do:

session_set_cookie_params($thirdyDays);
session_start();

I would do this when the login was successful and then, it would remember the session info for 30 days and all i had to do was session_start it.

However, it doesn't always work, almost never works in my localhost, it sometimes works in my web server, I tried commenting the session.life_time or whatever, but that didn't help. And you can't always expect the enviornment you're working in to have it commented etc.

I've looked into many membership system classes online such as PHPnuke and they use cookies... by doing something like:

setcookie($cookiename, $username, bla bla bla);
/*then they just check it with the DB: where SQL username would match the cookie Username */

But THis is very unsafe. If some customer did this in an internet cafe and logged in and forgot to logout but closed the window. That would mean the guy has his username for 30 days and can just duplicate a cookie to use ... and access stuff...

What i'm looking for is an intelligent way thats secure and uses mostly sessions... i'm not sure exactly how session_set_cookie_params works; we need a secure way to remember the session id... i'm not sure exactly how... whether its going to be setcookie($name, session_id(), bla bla); or if theres another way to save the information by the "remember me" or "save my username and password" way...

Any info would help. Is cookie the only way? Perhaps a cookie with an IP and then make the customer relogin if he has different IP?

execute

bump 😛 really cant figure this out 😮

gammaster

Maybee you should find some articles about, sessions, cookies and login scripts out there?
A secure and inteligent login script needs the basic about this, and is to complicated to be described in a short "help me" thread.

execute

no actually yes it is very simple to reply to a "help me" thread because it isn't complicated at all. Just need to know a certain way.. like to use $_COOKIE? or set_cookie_params ... if so just a tiny snippet describing how. And trust me i've been looking at login scripts all day... most of them use COOKIES and some are very insecure...

Maybe someone knows a way to get set_session_cookie_params properly... maybe some ini_set()s might help. OR a description on what way of doing this i should go. I just need a guide sort of, not a script really. Just a short snippet way to make it remember my sessionID or the user info without being insecure.

I will just use insecure cookies for now, maybe do some tricky encoding to it, until someone smart comes up with a neat clever little idea.

gammaster

This is a very simlified php/psaudo code for a login script.

You should just store a identifier in the cookie and use this to auth. the user and then get info. from the users last login from your database.

The cookie identifier should not be the username or some easy "crackable" value.

You can check this link for a better understanding.
Complete, Secure User Auth Library

// Start session at top of the page.
session_start();

// If user try to login
if(isset($_POST['username']) && isset($_POST['password'])) {
   /*
   - Check if the username and password has legal pattern.
   - Check if the user exists in the database.
   - Create a uniqe string for the "remember me" cookie.
   - Update the field remember_cookie in the db user table.
   */

   // Set the cookie that will expire after 30 days.
   setcookie('loginCookie', $uniqeValue, time()+60*60*24*30);

   // Set and use this for check in this session.
   $_SESSION['userLoggedIn'] = true;
   }
// If user isn`t logged in and the cookie exists.
else if((!isset($_SESSION['userLoggedIn']) || !$_SESSION['userLoggedIn']) && isset($_COOKIE['loginCookie'])) {
   /*
   - Check that the cookie has a valid pattern.
   - Find the user in db that match the cookie value
   */

   // Set and use this for check in this session.
   $_SESSION['userLoggedIn'] = true;
   }

// If unvalid user
if(!isset($_SESSION['userLoggedIn']) || !$_SESSION['userLoggedIn']) {
   echo 'You are not logged in';
   exit;
   }

execute

Thank you very much sir. I guess having a unique value, perhaps base64_encoded or something would be safe i suppose.