Cookies - Remember Me - PHPBuilder Forums

Cookies - Remember Me

Denholm

Hello there,

before I begin let me start off by mentioning that I did read the stickied FAQ thread regarding my question. It did not answer it, in a sense. I also searched for a little while, yet being as new as I am I had no idea what I was looking for.

Alright, I have an authentication process all set up and ready to go, it works just fine. The thing I'm trying to set up is an option to, "Remember Me" via the use of cookies. Perhaps even go as far as giving the user the option to decide how long the cookie will last. For example, "1 day, 1 week, 1 month, 1 year, forever."

Along with this, I would like to know how to set up a validation process that checks for that cookie instance to ensure the user is valid.

My ultimate goal is to use this feature on each page of my new web-site to firstly check for the cookie instance, if it exists the login screen won't appear, instead a message appears to the effect of:

Welcome $_USER.<br><a href="account.php" title="Your Account">Your Account</a>&nbsp;<a href="forums/index.php" title="Community Boards">Community</a>&nbsp;<a href="logout.php" title="Log out">Log Out</a>

If the cookie doesn't exist, the login form will be printed instead. Could any one help me set up such a system? Or perhaps even point me in the direction of a detailed tutorial on this subject?

Thanks in advance.

nrussell

Denholm,

I'd be happy to help you out. I've added a quick example on how to do this below, let me know if you have any questions.

So the first thing you'll need to be concerned with is security. I assume your member login page already takes this into account. The next is all up to you on how secure/insecure you want your cookie to be and what type of information you want stored.

Depending on the sites requirements you're probably using some sort of encryption function for your users passwords such as md5 or sha, if not I strongly recommend that you do so.

Ok, so here's the basics. You'll want to add some additional code to your login page and what ever page you use to validate the login credentials. Out side of that, I suggest using a separate page to validate the pages restricted to members and include that page at the top where applicable.

1) On the login page, you'll want to add something to the effect of:

Remember Me?  <input type="checkbox" name="remember" id="remember" checked />

If you want to specify how long and what to remember (similar to how hotmail used to function) then you'll either want to use radio buttons or a drop down list.

Retain Login? 
<br />
5 Days<input type="radio" name="remember" id="remember" value="5" />
<br />
15 Days<input type="radio" name="remember" id="remember" value="15" />
<br />
30 Days<input type="radio" name="remember" id="remember" value="30" />

And so on, you get the idea.

That's the easy part. You'll just need to include something similar to that in your login form.

Now we need to deal with the validation code. So with out going through all various ways of validating a login, I'm just going to focus on setting the cookie. In this example, I'm just using the first html code. So the remember me is just a checkbox that tells the validation code that the user is wanting to retain their login.

However this part depends on how long you want the cookie to expire and it's all up to you. If you go with the second html example, you'll have to use some conditional logic to figure out how long of an expiration date to use. If you want to go with a forever approach, then I suggest that you set the cookie to expire several years into the future. Otherwise, a default of 30 days is sufficient.

2) Depending on if you're doing a Post or Get form submission (I hope it's Post) you'll need to assign a variable to the form on the login page. Keep in mind that this is all basic code so if you want to be more secure, you'll need to write it in a manner that fits your style.

$retain_login = $_POST['remember'];

Next you'll want to check to see if the user wants you to retain their login and if so, set a cookie. In this example I'm setting a cookie with the username and encrypted password, with an expiration date of 30 days from the exact date and time when the request came in. I'm assuming you already have variables named for the username and password, but as you see in this example, I'm only using the md5 encryption for the password. You can easily change it to whatever encryption method you choose.

if (!empty($retain_login)) {

$cookie_vars = ''.$username.'[]'.md5($password).'';
//Sets a username and password variable with a separator of []
//The separator will be used later on when retrieving the username and password.

//now lets set the cookie
setcookie('my_cookie', $cookie_vars, time() + (30 * 24 * 60 * 60), '/', '.www.mysite.com');

}//end if

According to php.net here's the description of the setcookie function.

bool setcookie ( string $name [, string $value [, int $expire= 0 [, string $path [, string $domain [, bool $secure= false [, bool $httponly= false ]]]]]] )

There are several parameters you can use. In this example we don't use the secure and httponly parameters. For details on what each parameter does you'll want to read: PHP.NET: setcookie().

Also, if you want to verify how long the time variable is being set, just follow the example code below:

$time = time() + (30 * 24 * 60 * 60);  

                        // 30 days; 24 hours; 60 mins; 60secs

echo $time;  //Unix timestamp
echo '<br />';
echo date('Y-m-d H:i:s', $time);  //Formated Time being set  Year-Month-Day Hours:Minutes:Seconds

3) Now that you have a cookie that's being set, you'll want to create the login check page that you'll include on each page that requires a login. You may already have something similar to this, but you'll want to also check for a cookie. I assume that you have some sort of session handling that currently checks if a user is logged in. If not, you'll probably want to look into that.

In this example, I'm just checking if a cookie is set, and if so grab the information. As stated above, this assumes some sort of session failure has occured indicating that your page should now check the cookie and not session data.


/*

Session data failed to authenticate, check to see if a cookie is set.

*/

if (isset($_COOKIE['my_cookie'])) { //checks to see if a cookie is set

list($username, $password) = explode('[]', $_COOKIE['my_cookie']);

// grabs the cookie data and assigns variables accordingly.

/*

Code that validates the username and password, similar to your login page.

*/

}else{

/*

Redirect to login form, throw error message or do both.

*/

}

That's it. It's pretty simple once you get the hang of it. Of course there's a myriad of different applications you can use cookies for as well as different methodologies for setting cookies. Since sites can only set so many cookies, it's easier to throw user credentials into a single cookie instead of an array of cookies. Especially if the password is encrypted.

Now keep in mind, that it's not always safe to store the password in a cookie, but if you decide to do so remember to encrypt it first.