How can I create a secured "remember me" system using PHP?

Asked 5/9, 2010 at 7:29 Answered 15/8, 2015 at 18:9

Solved php authentication cookies remember-me

I have a login system. How can I implement a secure remember me system using cookies.

What value should I have to store in cookie username and password, but how I can secure it?

Palm answered 5/9, 2010 at 7:29 Comment(5)

i have tried storing username and password in cookie – Palm 5/9, 2010 at 7:35

OK. Thats a start. But if I intercept that cookie, then you're left exposed. Look at the following: stackoverflow.com/search?q=php+session+hijacking – Reimburse 5/9, 2010 at 7:39

Bad idea. Not only can anyone on that machine read the user+pass combo, but any XSS that sends document.cookie will be able to view your username/pass verbatim. – Hypsometer 5/9, 2010 at 7:40

I.e. you want to at least make it unattractive to target your auto-login system by reducing the possible damage. In my opinion a viable solution a) must include a temp. key that is used instead of the actual user/password b) should mention the http_only attribute for cookies and maybe the domain/path attributes. c) should mention not to trust this type of "login" and when and where it should be required to enter the password. – Lambency 5/9, 2010 at 9:38

You should re-use an existing authentication framework whenever possible, because, really, it's complex. For example, take a look at github.com/delight-im/PHP-Auth – Wraparound 21/9, 2016 at 2:10

define A Salt foreach user in db then

on setting

$expire_time = time() + 2 * 7 * 24 * 3600; // 2 weeks exp time

setcookie( 
    "rememberMe",
    crypt($username, $salt),
    $expire_time,
    '/'
);

on validating

$_COOKIE['rememberMe'] === crypt($username, $salt)

Anniceannie answered 15/8, 2015 at 18:9 Comment(0)

Maybe you could create a 16 char letter/number string that is associated in a database with that user and the mac address so that (as long as people aren't trying too hard and spoofing macs) only that machine can log on.

Rajab answered 5/9, 2010 at 7:51 Comment(0)

Maybe you should store (in your DB) visitor IP, User Agent, time zone or installed plugins. Something that might be easy to get using Javascript, since getting MAC address might be a problem.

Then you can easily check if user has same IP, UA, time zone or plugins as last time :) Or you might use MaxMind to check his location and confirm if he is using correct time zone. If there's anything suspicious you should discard cookie credentials.

Borzoi answered 12/8, 2015 at 12:27 Comment(0)

-1

There's not much to it... don't let your session files get cleaned up (ini setting session.gc_probability = 0), and change the session cookie from temporary to permanent (ini setting session.cookie_lifetime = however_long_you_want_the_user_to_be_remembered).

Of course, you'd probably want to eventually clean up stale session files, so you could experiment with a very low probability of the cleanup occuring, or do some external cleanup. Either way, as long as the user keeps the session cookie around and you keep the session file around, they'll be "remembered".

Bondswoman answered 5/9, 2010 at 7:38 Comment(2)

I think a cookie set with setcookie() would be a better idea rather than let sessions never expire. – Hypsometer 5/9, 2010 at 7:41

Well, either way, if the user's remembered, the session will be recreated, so might as well keep it around. You can always strip out critical data if there's a large time lapse between visits when the next visit does come in. – Bondswoman 5/9, 2010 at 7:52

Recommended topics

Hot tags