Login and remember access: best solution?

joane1

hi all
I have a restrected area with username and password.
If the user check Remember Me, a cookie will be sent in order to access next time.

Witch the best solution to store data in cookie: username and password (hash md5) or a random key (that also stored in field user table)?

laserlight

PHP offers session management, use that with session cookies.

joane1

laserlight wrote:
PHP offers session management, use that with session cookies.

yes, i already use this session (sessions+cookie).

My question is this: in order to allow automatic access to my users, it's better store in the cookie username and password or an key random (that will deleted from db table in case of Logout and will be insert in db table (and in the cookie) when the user is logged the first time in the restrected area?

laserlight

My question is this: in order to allow automatic access to my users, it's better store in the cookie username and password or an key random (that will deleted from db table in case of Logout and will be insert in db table (and in the cookie) when the user is logged the first time in the restrected area?

Store the (randomly generated by PHP) session id in the cookie. Do not store the username and password in the cookie. There should be no need to store the session id in the database as you should regenerate one if needed.

joane1

laserlight wrote:
Store the (randomly generated by PHP) session id in the cookie. Do not store the username and password in the cookie. There should be no need to store the session id in the database as you should regenerate one if needed.

ok, but if the user wants automatically to access next time, how can i recognize it? So, there is a need of a second cookie (not cookie session that expire when close the web browser), right?

laserlight

ok, but if the user wants automatically to access next time, how can i recognize it? So, there is a need of a second cookie (not cookie session that expire when close the web browser), right?

Instead of using cookies that persist until the end of the browser session, set the cookies to persist for some time frame.

joane1

laserlight wrote:
set the cookies to persist for some time frame.

ok. What i must store in this cookie in order to recognize the user next time? user, pass, random key, other, nothing....?

spiritssight

I would think that you would have a field in your table if you table was called user have a field in there that is called say remember

now on your sign in form you have your checkbox so when you hit submit it will then check if the user is valid if so then it adds a random code in to the field remember

on your pages that are for login user you would want to check first if a sesson isset if set then user is log in and if not then check if cookie (remember_yoursite) exist if exist then look in the database to see who that cookie belongs to and then it sets the user session, if there is no cookie then no user logged in

now this cookie should expire so now once it expire and the person logs in again it updates the fiield in the table user, if the person sign in and does not have the remember me box checked then it will delete the cookie

ADD:
Also if the person thats using your site uses the log out link then the cookie should be deleted and also in the field of the table should be emptyed

now I could not help with coding on this and if you success with this please post the code as I would love to make this happen on my site also.

Hope this helps you!

Sincerely,
Christopher

laserlight

What i must store in this cookie in order to recognize the user next time?

As mentioned, the session id, which is kind of like what happens when you let PHP do the session handling anyway. In this case it is a matter of setting the cookie to be persistent between browser sessions (i.e., to last after the user closes his/her browser window).

spiritssight is describing handling sessions yourself, which is probably unnecessary.

spiritssight

Ok, I was describing something :-) I am learning. Now I have a question for you laserlight

ok, so if the session id is used, how do you know who the user is, on my site, I have welcome guess if not signed in and if signed in then it says welcome and your first name, if I put a remember me checkbox next time the person comes to there computer and goes to mysite.com how does the website know who it is if you are not storing the username / password? right now if you sign in and then close your brower window / tab and then go back to it you are still logged in.
I right now have it where I set a session like $_SESSION['user_id'] etc etc

what should I do different then?

laserlight

so if the session id is used, how do you know who the user is

You would store the name of the user in the $_SESSION superglobal array, thus registering it with the session. Alternatively, you can register the user id with the session and then do a database lookup using this id.

if I put a remember me checkbox next time the person comes to there computer and goes to mysite.com how does the website know who it is if you are not storing the username / password?

The session id uniquely identifies the user. Since this is stored in the cookie, the user can be identified. You could say that the session id is like a temporary username/password combination.

bradgrafelman

Also note that there's no need to send another cookie. If they check the "Remember Me" box, just make the session cookie persist for a certain amount of time rather than until the end of the session. You can modify the cookie sent during session startup by using the function [man]session_set_cookie_params/man.