CODEWITHSUNDEEP
phpmysqlsessionauthorization
FosAvance
FosAvance

Reputation: 2469

Identify logged users in PHP

I have been reading about logging into, storing passwords and username. Storing password in cookie is BIG NO. So I chose to store only username in cookie, that is fine I guess. I stored it into cookie so I can access it easily and handle "Remember Me" option. But what about password if I want to identify user by SELECT * FROM databse WHERE username='$_COOKIE[]' AND password=''

I was thinking about SESSION. I can store password in session, not safe but fine. But problem is what when user close browser and reopen it. they will stay logged in but session will be gone, so everytime I have to check if there is SESSION[pass] set if not, select it from database and set it.

That is my solution, can anyone suggest me maybe more adequate solution?

Fact is, there is no super secure system and if someone really wants to break into they will succeed.

Upvotes: 0

Views: 174

Answers (2)

Paul Dixon
Paul Dixon

Reputation: 300835

Here's some more detailed answers for you to follow:

There also some great resources collected together in the answer to this question: The Definitive Guide To Website Authentication

Upvotes: 1

mishmash
mishmash

Reputation: 4458

You can have a table called remember_tokens that is structured like this:

  id         |         user_id              |        created
------------------------------------------------------------------------
f129ea9c     |            1                 |     2-3-2013 12:31:51
e9ac8aa0     |            2                 |     2-4-2013 08:21:13

id has some unique id, like a UUID or a randomly generated string. user_id is the id of the user to be remembered. created is when the record was created (so you can log out the user after X time).

Now, if the user successfully logs in and wants to be remembered, you add a new record with a unique id and his user_id to remember_tokens. You also create a new cookie using setcookie() that will contain the randomly generated id you just inserted.

Now, when the user requests the site next time, you see he has the remember cookie stored. You fetch that record, check if its not yet expired and use the user_id column to log in the appropriate user. This way, you're not storing sensitive information in the cookie.

Hope this helps

Upvotes: 3

Related Questions