Reputation: 9162
Remembering and validating user using cookies
I'm new to cookies and (PHP in general actually) and I want to implement a "remember me" system for the website I'm working on. After reading a lot of posts here and also on other website, I understand that I shouldn't put password or any other input from the user in the cookie. One solution was to user a remember_key in the database table, which gets regenerated each time a user signs in with "remember me" checkbox checked. And when the user visits the page again, the code should select remember_key from the db and check if $_COOKIE['remember'] is the same as remember_key, if it is then the user is logged in. But I'm not sure how to implement this. I have written some code in the way I thought I should, but I could use some help to see if what I already have is right and how to proceed. This is what I have now:
function rememberUser($id) {
$remember = md5(uniqid(mt_rand(),true));
$stmt = $mysqli->prepare("UPDATE USERS SET USER_REMEMBER_KEY = ? WHERE USER_ID = ?");
$stmt->bind_param('si', $remember, $id);
$stmt->execute();
setcookie("remember", $remember, time()+60*60*24*30, "/", "www.someName.com", false, true);
}
function isValidUser($id) {
$stmt = $mysqli->prepare("SELECT * FROM USERS WHERE USER_REMEMBER_KEY = ? AND USER_ID = ?");
$stmt->bind_param('si', $_COOKIE['remember'], $id);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if($count == 1) {
return true;
}
else {
return false;
}
}
function forgetUser($id) { // not sure about this method at all!
setcookie("remember", '', time()-3600, "/", "www.someName.com", false, true);
}
forgetUser() will delete $_COOKIE['remember'] (or the value of it?), but how does it know that it is the cookie for that particular person? I would like any comment/suggestion/tip/hint or anything else on the code I have now and how I can improve it.
For your information I already know about sessions, they're easy to use and more secure (I guess), but I need to keep users logged in for a longer time (like FB) and sessions are not good enough for that. I also heard that giving sessions a long lifetime won't guarantee their deletion.
About security: my website doesn't need to be super super secure, I think just this token will be enough?
Upvotes: 1
Views: 2314
Answers (1)
Reputation: 1231
I use the session for the secure part, and use either a hash or a user_id in the cookie. The cookie can only be accessed by your site. So unless someone else logs in on the same computer, if you have a long enough expiry, the cookie will just sit there. So the next week when they go back to your site, and it reads the cookie, you just start (What ever your version of a session is) with the user_id or hash that's stored in your database. If the hash doesn't match, the user has to login again.
I hope that's what you were after.
Edit:
// I can't remember why right now, But I found to delete the cookie properly,
// after setcookie, I had to unset the $_COOKIE also.
setcookie("userid", "", time() - 3600);
unset($_COOKIE['userid']);
Upvotes: 1
Related Questions
- How to put remember me (cookie) in PHP
- Proper way to use "Remember me" functionality in PHP
- PHP remember me cookies
- How to add "Remember me" feature in login form using php
- How to securely implement the "Remember me" button in PHP (persistent login)
- login system with Remember, how do?
- Remember me function using database to store details
- PHP: Remember Me and security?
- Cookie and session in "remember me" feature
- What should I store in cookies to implement "Remember me" during user login