1

I am trying to implement a PHP persistent login on a website.

I am following this PHP login system: Remember Me (persistent cookie)

I got stuck in the part where he mentioned Then regenerate login token as above

Can someone explain what it means and how to implement it with some codes.

Re-Authenticating On Page Load

if (empty($_SESSION['userid']) && !empty($_COOKIE['remember'])) {
list($selector, $authenticator) = explode(':', $_COOKIE['remember']);

$row = $database->selectRow(
    "SELECT * FROM auth_tokens WHERE selector = ?",
    [
        $selector
    ]
);

if (hash_equals($row['token'], hash('sha256', base64_decode($authenticator)))) {
    $_SESSION['userid'] = $row['userid'];
    // Then regenerate login token as above
}

}

Ibrahim
  • 99
  • 12

2 Answers2

2

Regenerate tokens means: create new ones.

<?php
if (empty($_SESSION['userid']) && !empty($_COOKIE['remember'])) {
    list($selector, $authenticator) = explode(':', $_COOKIE['remember']);

    $row = $database->selectRow(
        "SELECT * FROM auth_tokens WHERE selector = ?",
        [
            $selector
        ]
    );

    if (hash_equals($row['token'], hash('sha256', base64_decode($authenticator)))) {
        $_SESSION['userid'] = $row['userid'];
        // Then regenerate login token as above
        $new_selector = base64_encode(random_bytes(9));
        $new_authenticator = random_bytes(33);

        setcookie(
            'remember',
             $new_selector.':'.base64_encode($new_authenticator),
             time() + 864000,
             '/',
             'yourdomain.com',
             true, // TLS-only
             true  // http-only
        );

        $database->exec(
            "UPDATE auth_tokens SET selector=?, token=?, expires=? WHERE selector=?",
            [
                $new_selector,
                hash('sha256', $new_authenticator),
                date('Y-m-d\TH:i:s', time() + 864000),
                $selector
            ]
        );
    }
}
Kerkouch
  • 1,446
  • 10
  • 14
  • I go this - Warning - **"hash_equals() Expected known_string to be a string, NULL given**"..I think when a user closes the browser, The session - userid is destroyed so when we check **"$_SESSION['userid'] = $row['userid'];"** it probably returned null for the $_SESSION['userid']. – Ibrahim Jul 15 '18 at 08:50
0

Without seeing the code used to generate the token and set the cookie, I won't be able to give you specific code to use, but basically, you want to reset the cookie timer and/or create a new token

As for the cookie, you are simply resetting its timer on every page load, standard. In php use set_cookie() to refresh it.

setcookie("TestCookie", $value, time()+3600);  /* expire in 1 hour */

If you need to actaully regenerate the token so you are not using the same one, try to find the function that hashes the token. Looks like the token is a string that then gets base64 encoded as an authenticator (seems like not very good security)?

anyway, once you figure out how to hash a new token then store that token in your auth table in your database so it will work. 

"INSERT INTO auth_tokens (selector) VALUES ($myNewToken)"

and probably delete the old token

"DELETE FROM auth_tokens WHERE selector = $myOldTokenSelectorThing"
Brian Patterson
  • 1,615
  • 2
  • 15
  • 31