I'm starting to work on a remember me function now for login, what would the best approach be? Cookie or DB storage?

    Cookie strikes me as having less overhead; you don't need to store that much for the functionality. DB storage also requires additional coding to get stuff out of the DB and back to the server, while a cookie is sent automatically with the request.

      hmm something like this?

      	if(isset($_POST['rememberme'])){
      		$username = $_POST['username'];
      		$password = password_hash($_POST['password'], PASSWORD_BCRYPT, ['cost' => 12]);
      		setcookie('username',$username, time() + 3600, '/');
      		setcookie('password',$password, time() + 3600, '/');
      	}	
      
      function cookiePass(){
      		if(isset($_COOKIE['username']) && $_COOKIE['password']) { 
      			$username = $_SESSION['username'];
      			$password = $_COOKIE['password'];
      			$data = $this->pef("SELECT encodedpassword FROM users WHERE username = ?",$password);
              if ($data == false){
                  return false;
              } else{
                  return password_verify("$user-$pass", $data['encodedpassword']);
              }
      		}
      	}
      	

      I think storing a username and password in a cookie sounds pretty insecure.

      I' m not sure what mechanism is used to remember users -- I usually see the 'remember me' checkbox when you login . I imagine that the PHP server, seeing that checkbox checked, would take care to create some kind of login or session record on the server, probably in a database but perhaps in a file, which is specifically marked with a longer-than-usual expiration date. Most sites forget who you are after some period of time, requiring you to login again.

        Yeah, no passwords in cookies, please.

        If the intent of "remember me" is to log them in, then probably the first solution would be to just extend the session cookie and session data expiration times, I think. Maybe you could store the fact that they want to be "remembered" in a cookie, and use its presence and truthiness to initialize the desired session parameters in your controller or common session code or whatever?

        Guess I just sort of repeated what sneakyimp said in maybe a slightly different way. 🙂

          cluelessPHP hmm something like this?

          No, like the others have stated. Don't store static(unchanging) user authentication values in cookies, since someone getting those static values can use them to impersonate a user, until those values are set to something else.

          Remember me functionality generates a unique random value, similar to what the session id is (you can in fact use php's session id generator), stores that in a cookie and stores it in a row in a database table that ties it to the actual user's id. If the cookie is set, you would query to get the actual user's id and any user permissions to use in the rest of the normal code on the page.

            I've went with the option to extend sessions, problem now is bots on the site also have sessions, hmm some sort of test request on agent to stop that I guess?

            cluelessPHP i doubt the bots are clicking a checkbox that says 'remember me' so it sounds like your fundamental session handling code might need some work. You shouldn't be creating sessions for bots at all -- a bot can swarm your site with hundreds of thousands of requests in a very short period of time. Here is a sample function that can be used to detect bots which is fairly easy to understand. The source:

            /**
             * Check if the given user agent string is one of a crawler, spider, or bot.
             *
             * @param string $user_agent
             *   A user agent string (e.g. Googlebot/2.1 (+http://www.google.com/bot.html))
             *
             * @return bool
             *   TRUE if the user agent is a bot, FALSE if not.
             */
            function smart_ip_detect_crawler($user_agent) {
              // User lowercase string for comparison.
              $user_agent = strtolower($_SERVER['HTTP_USER_AGENT']);
            
              // A list of some common words used only for bots and crawlers.
              $bot_identifiers = array(
                'bot',
                'slurp',
                'crawler',
                'spider',
                'curl',
                'facebook',
                'fetch',
              );
            
              // See if one of the identifiers is in the UA string.
              foreach ($bot_identifiers as $identifier) {
                if (strpos($user_agent, $identifier) !== FALSE) {
                  return TRUE;
                }
              }
            
              return FALSE;
            }

            Ideally your code would avoid creating a session for any bot.

            Write a Reply...