PHP Sessions Login with remember me

Question

Ive got a PHP Registration/Login system using PHP Sessions which is working perfectly, I want the user to be able to tick remember me and then they stay logged in forever or at least a week or something.

Im guessing I need to store a cookie and check, I was confused at what I actually need to store in the cookie. If I store the userid or username then can't someone just use a fake cookie to look at another users data?

Any advance is appreciated.

See http://stackoverflow.com/a/30135526/2224584 specifically. — Scott Arciszewski, Jun 09 '15 at 22:35

score 30 · Answer 1 · answered Dec 14 '13 at 02:03

30

All you need to do is extend the PHP session cookie. The following example extends the cookie by 30 days:

$params = session_get_cookie_params();
setcookie(session_name(), $_COOKIE[session_name()], time() + 60*60*24*30, $params["path"], $params["domain"], $params["secure"], $params["httponly"]);

I think by your security question you are just concerned about putting values which can be easily hacked. PHP session cookies have a random value and store its contents on the file system so you should be fine.

answered Dec 14 '13 at 02:03

Luke

2,851
1
19
17

This did not work for me when testing with Chrome. Perhaps web browser cookie settings have changed since this post. – mnutsch Mar 08 '17 at 21:59
3

Chrome restricts HTTP cookies to only lasting a certain length of time regardless of the expiry date set. Firefox is now following Chrome's behaviour. HTTPS cookies are unaffected. – Chris Dennett Apr 17 '18 at 13:44
@ChrisDennett, where can we find more info on this? – musicin3d Jul 30 '19 at 22:46
This allow the session to remain open for 1 week. session_start([ 'cookie_lifetime' => 604800 ]); – Emrah Tuncel May 03 '21 at 09:14

Ghassan Elias · Answer 2 · 2012-08-23T13:27:07.367

18

After successful login do:

$_SESSION['user_is_loggedin'] = 1;

$cookiehash = md5(sha1(username . user_ip));
setcookie("uname",$cookiehash,time()+3600*24*365,'/','.yoursite.com');

store in sql:

$sql = "UPDATE `users` SET `login_session`='$cookiehash' WHERE `user_id`='$uid'";

to check if user logged in:

function CheckCookieLogin() {
    $uname = $_COOKIE['uname']; 
    if (!empty($uname)) {   
        $sql = "SELECT * FROM `users` WHERE `login_session`='$uname'";
        $_SESSION['user_is_loggedin'] = 1;
        $_SESSION['cookie'] = $uname;
        // reset expiry date
        setcookie("uname",$uname,time()+3600*24*365,'/','.yoursite.com');
    }
}

if(!isset($_SESSION['cookie']) && empty($_SESSION['user_is_loggedin'])) {
    CheckCookieLogin();
}

edited Aug 23 '12 at 13:27

answered Aug 23 '12 at 12:56

Ghassan Elias

2,213
1
14
17

11

You should point out that your SQL's are only for example because you should NEVER insert variables in SQL directly (=> SQL Injection). – ipsum Oct 31 '13 at 15:04
7

Note that since PHP 5.5 there is a `password_hash()` that maybe could be used instead of `md5(sha1())`. – Fred Mar 15 '14 at 20:33
validate password_hash with `if(password_verify($username.$ip,$uname))` if you cant pass the variables use the faster but less secure `md5(crc32())` – nodws Jul 13 '17 at 19:23
5

If you do this you can't be logged into multiple browsers/devices. – JediBurrell Sep 24 '17 at 05:10
This could be brute forced very quickly – A Friend Dec 11 '18 at 04:06
Improper use of variables inside SQL code – Mohsen Sep 07 '19 at 18:55

Julien · Accepted Answer · 2014-08-09T11:39:55.277

-6

Small example that I often use

function setSession($username,$password,$cookie=null){
    // Other code for login ($_POST[]....)
    // $row is result of your sql query
    $values = array($username,$this->obscure($password),$row['id']);         
    $session = implode(",",$values);

    // check if cookie is enable for login
    if($cookie=='on'){
        setcookie("your_cookie_name", $session, time()+60*60*24*100,'/');
    } else {
        $_SESSION["your_session_name"] = $session;
    }
}

edited Aug 09 '14 at 11:39

answered Aug 23 '12 at 12:57

Julien

1,946
3
33
51

7

this answer is totally incomplete. What is the value of $session variable??? – KnF May 30 '14 at 00:46
@KnF post edited with value of `$session` – Julien Aug 09 '14 at 11:40
9

The `your_cookie_name` will have the obscured password stored... I guess that if someone steals the cookie will steal this "hash"... suppose you use mcrypt for password hashing.. it will contain the salt as well... so, now you have given the hash and the salt to the attacker and with it a dictionary attack is now possible... I think you should never store a user's password in a cookie... **NEVER** – KnF Aug 13 '14 at 21:56
3

This answer is a very bad attempt. The "remember me" function should definitely not be implemented by storing the user password. (Not even as a hash) Additionally the functionality breaks if the users changes his password. Enlarging the session cookies lifetime is a much better and secure way to achieve this. – idmean Oct 21 '14 at 17:55
2

The accepted answer here is terrible. Would anyone like a rewrite in case a Googler finds this and implements it? – Scott Arciszewski May 08 '15 at 17:56
1

I just googled this up and found this :D Luckily it is already downvoted enough to know it's not a good answer ;) – Kalko Aug 12 '18 at 10:26

PHP Sessions Login with remember me

3 Answers3

Linked