Remember me login script

[greens85]

Hi all,

 

I currently have a login script that does the job perfectly but i am looking to add a remember me feature to it but so far this has proved more complicated than first thought.

 

I have the following pages and code:

 

employerlogin.html

 

<?php
session_start();

if(isset($_COOKIE['CookieName']))
// If the cookie 'CookieName is set, do the following;
{
$dbHost = 'host';
// Database Connection Details - Host
$dbUser = 'user';
// Database Connection Details - Username
$dbPass = 'pass';
// Database Connection Details - Password
$dbname = 'dbname';
// Database Connection Details - Database Name


$username = $_COOKIE['CookieName']['ename'];
// Select the username from the cookie
$password = $_COOKIE['CookieName']['epass'];
// Select the password from the cookie

$db = mysql_connect($dbHost,$dbUser,$dbPass);     // Connection Code
mysql_select_db($dbname,$db);                     // Connects to database

$query = "SELECT ename, upass FROM employers WHERE ename = '$ename' AND epass = '$epass'";
$result = mysql_query($query, $db);
if(mysql_num_rows($result))         
// If the login information is correct do the following;
    {
    $_SESSION['loggedin'] = 1;    
// Set the session 'loggedin' to 1 and forward the user to the admin page
    header('Location: http://www.mysite.com//employers/login.php');
    exit();
    }
}

/*    If the cookie doesn't exist or the login
    information  stored within the cookies
    are   wrong   show   the   login   form.
*/
?>

<?php
if (isset($_GET['error']) AND !empty($_GET['error']))
{
    echo 'Invalid login data supplied. Please try again.';
}
?>
<style type="text/css">
<!--
.style1 {color: #FFFFFF}
-->
</style>
<table width="90%" border="0" cellspacing="0" cellpadding="5">
<tr>
<td align="left" class="tcat">Employer User Area Login | <a href='<?=$fullurl?>/employers/help.php'><font color='#FFFFFF'>Forgot Login?</font></a></td>
</tr>

<td class="tborder">

<form method='post' action='<?=$fullurl?>/employers/login.php'>
<br/>
<?
$sql = "SELECT * FROM employers WHERE
        ename = '$ename' AND epass = '$epass'";
$result = mysql_query($sql);
$a1 = mysql_fetch_array($result);

if (mysql_num_rows($result) == 0) 
{
?>
<br/>
<table align="center">
  <tr>
    <td>Email:</td>
    <td><input name="ename" type="text"></td>
  </tr>
  <tr>
    <td>Password:</td>
    <td> <input name="epass" type="password"></td>
  </tr>
   <tr>
  	<td></td>
    <td align="right">Remember Me: <input type="checkbox" name="rememberme" id="rememberme" value="rememberme" /></td>
  </tr>
  <tr>
  	<td></td>
    <td align="right"><input type = "submit" name="submit" value="Login"></td>
  </tr>
</table>
<?
}
elseif ($ename == '') 
{
?>
<table align="center">
  <tr>
    <td>Email:</td>
    <td><input name="ename" type="text"></td>
  </tr>
  <tr>
    <td>Password:</td>
    <td> <input name="epass" type="password"></td>
  </tr>
  <tr>
  	<td></td>
    <td align="right">Remember Me: <input type="checkbox" name="rememberme" id="rememberme" value="rememberme" /></td>
  </tr>
  <tr>
  	<td></td>
    <td align="right"><input type = "submit" name="submit" value="Login"></td>
  </tr>
</table>
<br/>
<table width="100%" border="0">
  <tr>
    <td align="center">Not registered? | <a href="<?=$fullurl?>/employers/registration.php">Register Here</a></td>
  </tr>
</table>
  <?
}
else
{
?>
  
  You are currently logged in as: 
  <br/>
  <font color="#FF0000"><strong>"<?=$a1[companyname]?>"</strong></font>
  <br/>
  <br/>
<table width="100%" border="0">
  <tr>
    <td align="center"><a href="<?=$fullurl?>/employers/index.php">Employers Area</a> | <a href="<?=$fullurl?>/employers/logout.php">Logout</a></td>
  </tr>
</table>
<?
}
?>
</form>
</td>
</table>

login.php

 

<?php
session_start();        // Shows we are using sessions

$dbHost = 'host';
$dbUser = 'user';
$dbPass = 'pass';
$dbname = 'dbname';    

$username = $_POST['ename'];    // Gets the inputted username from the form
$password = $_POST['epass'];    // Gets the inputted password from the form
$time = time();            // Gets the current server time
$check = $_POST['rememberme'];        // Checks if the remember me button was ticked

$db = mysql_connect($dbHost,$dbUser,$dbPass); // Connection Code
mysql_select_db($dbname,$db);                     // Connects to database

$query = "SELECT ename, epass FROM employers WHERE ename = '$ename' AND epass = '$epass'";
$result = mysql_query($query, $db);
if(mysql_num_rows($result)) {    // If the username and password are correct do the following;
   $_SESSION['loggedin'] = 1;        // Sets the session 'loggedin' to 1

    if($check) {
    // Check to see if the 'setcookie' box was ticked to remember the user
    setcookie("CookieName[ename]", $ename, $time + 3600);     // Sets the cookie username
    setcookie("CookieName[epass]", $epass, $time + 3600);      // Sets the cookie password
    }
}
else    // If login is unsuccessful forwards the user back to the index page with an error
{
}
?>

 

Does anyone have the faintest idea why this isnt working... i know the cookie is being written as ive checked. However it seems that it isnt being detected why the user closes the window and opens a new one.

[laffin]

I wudn use cookie loggedin=1

just because anyone can edit the cookie than and mess with the script

 

Why add more cookied, when u can put the expires on the loggedin cookie instead.

 

use the username/pass with md5(). to generate a key. which is much harder to fake.

 

And why the mix of cookies and sessions.

 

 

[ignace]

1) Never EVER store credential information inside a cookie!!!! These are stored on the client side and it is very easy to read, modify and even create them. So if you only rely on authentication and no authorization then i could pretend to be you, full power over the system and able to destroy everything to which you have power to.

 

2) To create remember me script you need to store account information inside the session so when a user visits your website you check if the session information is available, retrieve it and perform the authentication process just like the user would have by using the authentication form. Something like:

 

<?php
session_start();

if (isset($_SESSION['username']) && isset($_SESSION['password'])) {
    logon($_SESSION['username'], $_SESSION['password']);
}
else {
    header('Location: /logon.php');
}
?>

[greens85]

Hi Ignace,

 

I'm new to PHP so forgive my lack of knowledge. so when you create it in a session where would this be placed within my existing code and how exactly does the computer know they have logged in previously?

 

I thought sessions were destroyed when the browser window was closed?

 

[ignace]

Yep your right you can change this behavior by changing the lifetime of the cookie which holds the session identifier http://be2.php.net/manual/en/function.session-set-cookie-params.php

 

This script should be placed in your index.php or some script that is always included so that you get logged in on every page. Create an additional function called is_logged() to verify a user has been logged in.

 

<?php
if (is_logged()) {
  ..logged in logic..
} else {
  ..not logged logic..
}
?>

 

if you are include'ing a page in every php file then know that you only want to log a user when he is not logged in:

<?php
if (!is_logged()) {
   if (isset($_SESSION['username']) && isset($_SESSION['password'])) {
       logon($_SESSION['username'], $_SESSION['password']);
   }
}
?>