Jump to content

[SOLVED] login 'remember me' without user & pass in cookie?

Dragen

By Dragen
in PHP Coding Help

 Share

Recommended Posts

Dragen Advanced Member

Dragen

Posted
Posted

In a login system how would I create a 'remember me' feature without storing the username and password in a cookie?

I've never really dealt with login systems much and before I stored the username and password in a cookie, so next time they visited the site it would read from the cookies and log them in. Obviously this has some major security issues. I figure I'll need to use cookies somehow, but can't figure out how I can do it 'safely'.

What would be a better way of doing it?

Link to comment
Share on other sites
Fadion Newbie

Fadion

Posted
Posted

Dont see where's the problem of storing username and pass in cookies! Im sure u hash your passwords so it wont be a sensitive information.

 

Just have it save an md5 hash of the username and timestamp that way it's always unique.  When they visit the page check the hash to the user's table row and auto log them in.

 

md5($username . $timestamp); is salting, but how on earth would u compare real data to random hashed ones? To bypass this, u have to add a salt column to the table where u store random salts, which actually seems alot overwhelming.

 

Link to comment
Share on other sites
DeanWhitehouse Advanced Member

DeanWhitehouse

Posted
Posted

how would i get this remember me feature to work.

<?php
require_once 'includes/db_connect.php';

if ($_SESSION['is_valid'] == false){
if (isset($_POST['login'])){

$user_name = $_POST["user_name"];        
$user_password = $_POST["user_password"]; 
$cookiename = forumcookie;   
$verify_username = strlen($user_name);
$verify_pass = strlen($user_password);
if ($verify_pass > 0 && $verify_username > 0)
{
$userPswd = md5($user_password);
$userpwsd = sha1($userPswd);
$sql = "SELECT * FROM `$user` WHERE user_name='$user_name' AND user_password='$userpwsd' LIMIT 1;";
$result = mysql_query($sql);
if (mysql_num_rows($result) == 1){
	$row = mysql_fetch_assoc($result);
	$user_level = $row['userlevel'];
	if ($user_level == 1) {
		$login_check = @mysql_fetch_array(mysql_query("SELECT * from `$user` WHERE user_name = '$_GET[u]' AND user_password = 	'$_GET[p]'"));

		$userright = array($login_check['user_name'], $login_check['userlevel']);
		$s_userpass = serialize($userpass);
	$_SESSION['username'] = $row['user_name'];
	$_SESSION['user_password'] = $row['user_password'];
	$_SESSION['user_level'] = $row['userlevel'];
	$_SESSION['user_id'] = $row['user_id'];
	header("Location:http://".$_SERVER[HTTP_HOST]);
	$_SESSION['is_valid'] = true; //change the session variable name to what you want, just remember it for all files
	 if(isset($_POST['remember'])){
    	  setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    	  setcookie("cookpass", $_SESSION['user_password'], time()+60*60*24*100, "/");
   		}
	} 
		elseif ($user_level == 2){    
			$login_check = @mysql_fetch_array(mysql_query("SELECT * from `$user` WHERE user_name = '$_GET[u]' AND user_password = '$_GET[p]'"));

			$userright = array($login_check['user_name'], $login_check['userlevel']);
		$s_userpass = serialize($userpass);
	$_SESSION['username'] = $row['user_name'];
	$_SESSION['user_password'] = $row['user_password'];
	$_SESSION['user_level'] = $row['userlevel'];
	$_SESSION['user_id'] = $row['user_id'];
	header("Location:http://".$_SERVER[HTTP_HOST]);
	$_SESSION['is_valid'] = true; //change the session variable name to what you want, just remember it for all files
	 if(isset($_POST['remember'])){
    	  setcookie("cookname", $_SESSION['username'], time()+60*60*24*100, "/");
    	  setcookie("cookpass", $_SESSION['user_password'], time()+60*60*24*100, "/");
   		}
	}
}
else{
	echo "Login failed. Username and Password did not match database entries.";    
}
}

else
{
echo "Form was not completed. Please go back and make sure that the form was fully completed.";    
}
}
?> 

<html>
<table bgcolor='#999999' align='right'><form action="<?php $_SERVER['PHP_SELF']; ?>" method='POST'>
<tr><td>Username: </td><td><input type='text' name='user_name' /><br /></td></tr>
<tr><td>Password:</td><td> <input type='password' name='user_password' /><br /></td></tr>
<tr><td><input type="hidden" name="login" value="true"><input type="submit" value="Submit"></td></tr>
<tr><td><input type="checkbox" value="1" name="remember"> Remember Me </td></tr><tr><td><a href="register.php">[Register]</a></td></tr><tr><td><a href="forgot_password.php">[Forgot Password?]</a></td></tr></table>
</form>
</html>

<?php 
mysql_close();
}
else
{
header("Location:http://".$_SERVER[HTTP_HOST]);
}
?>

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted

hmm.. I think I'm just gonna salt the hell out of it and hope for the best.

Just in theory how does this sound:

if($remember == true){
setcookie('ui', $this->salt($username) . '%' . $this->salt($password), time()+(60*60*24*365), '/');
}

with salt() creating my salt obviously, but using thte % (or another symbol) as a separator so I can extract them.

 

EDIT: Or I'll probably remove the separator and just make the salts a certain length, so I know when to break them.

Link to comment
Share on other sites
DeanWhitehouse Advanced Member

DeanWhitehouse

Posted
Posted

Hey Blade that needs to be posted as a new topic since it isn't relevant to this discussion ;)

I think it is, this post is about remember me, i am just checking if my code was right,and also if dragen wanted to use it if he didn't get the answer he wanted.

BTW, dragen, soz for interupting your thread, but i didn't want to waste forum space.

448191. how do i do that, as i haven't an idea how.

Link to comment
Share on other sites
Fadion Newbie

Fadion

Posted
Posted

I just don't like the idea of storing the passwords in a cookie in case the salt/hash gets cracked somehow.

 

Cracking the salt would give no result, as u still got the password hash. And thats why ure using random ones, so if u crack one, u have only that. Cracking passwords would have nosense, only if the user has set the password=door and the cracker runs it in a dictionary of common-words hashes. Eventhough, thats why u use salts! As i stated before, this is too overwhelming.

Link to comment
Share on other sites
448191 Advanced Member

448191

Posted
Posted

If you want to preserve some data, but purge other, then yes, you need a second identifier.

 

In most cases that would be unnecessary though.

 

How to do it? Maybe look in the manual for session_set_cookie_params() and session_regenerate_id()?

Link to comment
Share on other sites
Dragen Advanced Member

Dragen

Posted
  • Author
Posted
I think it is, this post is about remember me, i am just checking if my code was right,and also if dragen wanted to use it if he didn't get the answer he wanted.

BTW, dragen, soz for interupting your thread, but i didn't want to waste forum space.

448191. how do i do that, as i haven't an idea how.

I didn't look over your code thoroughly, but it looks fine. I don't want to use it though as it's similar to the old one that I used to use.

 

Cracking the salt would give no result, as u still got the password hash. And thats why ure using random ones, so if u crack one, u have only that. Cracking passwords would have nosense, only if the user has set the password=door and the cracker runs it in a dictionary of common-words hashes. Eventhough, thats why u use salts! As i stated before, this is too overwhelming.

thanks for the input. I'm doing it the way of hashing and salting now.

 

Just use session_set_cookie_params() to set the session lifetime to close to infinity and regenerate the session id at the first chance you get.

 

Anything else is either stupid, unnecessary or overkill.

I'm not really wanting to do that as all the other session variables are variables which I don't want lasting any longer than the current session. It's only the log-in one that needs to last.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.