Remember Me JavaScript?

Question

How would I properly write a script to set cookies to remember a user's username and password upon checking a checkbox on the login form?

Also, if this could be done in PHP please let me know.

Answer 1

$somearray = explode('-', $string);
$username = $somearray[0];
$passwordmd5 = str_replace(md5(substr($http_user_agent, 0, 10)),'',str_replace(md5(substr($http_user_agent, 5, 10)),'', $string));

Answer 2

The best approach to store password remembering stuff is storing as md5 hashes along with some browser specific data. For example, you store a string such as

username-4155b1b6e53ad73e06c4c58e709cdeea19915ea84de517500d9ba3280e27cf59

For example, you could generate this string in PHP like this

$string=$username.'-'.md5(substr($http_user_agent, 5, 10)) .md5($password).md5(substr($http_user_agent, 0, 10));

Our objective is making our string sufficiently complex. In the login stage, we extract password md5 with the method that only we know.

$somearray=explode('-', $string);
$username=$somearray[0];
$passwordmd5=str_replace(md5(substr($http_user_agent, 0, 10)),'',str_replace(md5(substr($http_user_agent, 5, 10)),'', $string));

and now, we can do the comparison in our database like this,

select * from users where username='$username' and md5(password)='$passwordmd5';

HTTP USER AGENT stuff eliminates a bit the risk of unauthorized usage of the cookie string. Although an unauthorized person stoles the cookie, (s)he cannot use this with another browser. If we had not done so, someone that has the same string could behave as if he has the password and could login as our real user.

Answer 3

You could do as suggested by the @minitech as above. However storing password information in a cookie is not a good idea. It can easily be extracted from the computer.

You are better off generating a one time hash that can be used to login once and store that in a cookie. Once its used its invalidated. While its not perfectly secure (About as secure as a session anyway, force https if you want it to be more secure), it does not compromise the users password.

Users often use the same password on multiple sites. If its compromised on one site, its easier to get into that users accounts on other sites.

Answer 4

In PHP, set a cookie with the session information (username, password) by copying the appropriate values from $_SESSION into $_COOKIE using set_cookie. When the user visits a page, check first for the existence of $_SESSION variables, then for $_COOKIE variables. If the $_COOKIE variables exist but the $_SESSION ones don't, copy from $_COOKIE into $_SESSION. (That is, if the user checks the box.)