I'm new to cookies and (PHP in general actually) and I want to implement a "remember me" system for the website I'm working on. After reading a lot of posts here and also on other website, I understand that I shouldn't put password or any other input from the user in the cookie. One solution was to user a remember_key in the database table, which gets regenerated each time a user signs in with "remember me" checkbox checked. And when the user visits the page again, the code should select remember_key from the db and check if $_COOKIE['remember'] is the same as remember_key, if it is then the user is logged in. But I'm not sure how to implement this. I have written some code in the way I thought I should, but I could use some help to see if what I already have is right and how to proceed. This is what I have now:
function rememberUser($id) {
$remember = md5(uniqid(mt_rand(),true));
$stmt = $mysqli->prepare("UPDATE USERS SET USER_REMEMBER_KEY = ? WHERE USER_ID = ?");
$stmt->bind_param('si', $remember, $id);
$stmt->execute();
setcookie("remember", $remember, time()+60*60*24*30, "/", "www.someName.com", false, true);
}
function isValidUser($id) {
$stmt = $mysqli->prepare("SELECT * FROM USERS WHERE USER_REMEMBER_KEY = ? AND USER_ID = ?");
$stmt->bind_param('si', $_COOKIE['remember'], $id);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if($count == 1) {
return true;
}
else {
return false;
}
}
function forgetUser($id) { // not sure about this method at all!
setcookie("remember", '', time()-3600, "/", "www.someName.com", false, true);
}
forgetUser() will delete $_COOKIE['remember'] (or the value of it?), but how does it know that it is the cookie for that particular person? I would like any comment/suggestion/tip/hint or anything else on the code I have now and how I can improve it.
For your information I already know about sessions, they're easy to use and more secure (I guess), but I need to keep users logged in for a longer time (like FB) and sessions are not good enough for that. I also heard that giving sessions a long lifetime won't guarantee their deletion.
About security: my website doesn't need to be super super secure, I think just this token will be enough?
-
That looks pretty well thought out. Remember you can also use PHP sessions PHP, it also stores a hash unique to the session.Bradmage– Bradmage2012年03月11日 15:54:49 +00:00Commented Mar 11, 2012 at 15:54
-
But I already explained sessions don't stay undeleted long enough for me :)Loolooii– Loolooii2012年03月11日 16:01:19 +00:00Commented Mar 11, 2012 at 16:01
-
I was just looking at the text at the bottom, and wasn't sure if you just added it, or I've it's cause I'm struggling to keep my eyes open :) sorry.Bradmage– Bradmage2012年03月11日 16:02:30 +00:00Commented Mar 11, 2012 at 16:02
-
1stackoverflow.com/search?q=%5Bphp%5D+persistent+login+cookie - also please see the Related column on the right -->hakre– hakre2012年03月11日 16:03:59 +00:00Commented Mar 11, 2012 at 16:03
-
1As well as What is the best way to implement "remember me" for a website?lll– lll2012年03月11日 16:26:37 +00:00Commented Mar 11, 2012 at 16:26
1 Answer 1
I use the session for the secure part, and use either a hash or a user_id in the cookie. The cookie can only be accessed by your site. So unless someone else logs in on the same computer, if you have a long enough expiry, the cookie will just sit there. So the next week when they go back to your site, and it reads the cookie, you just start (What ever your version of a session is) with the user_id or hash that's stored in your database. If the hash doesn't match, the user has to login again.
I hope that's what you were after.
Edit:
// I can't remember why right now, But I found to delete the cookie properly,
// after setcookie, I had to unset the $_COOKIE also.
setcookie("userid", "", time() - 3600);
unset($_COOKIE['userid']);