remember me

[wadie]

Hi,

 

I'm creating a remember me feature for my site which obviously sets a cookie and when the visitors loads the site again,he would already be logged in.

 

This is a part of the code which is related :

$login_email	= request_var('login_email', '');
$login_password	= request_var('login_password', '');
$login_remember	= (isset($_POST['remember']) && $_POST['remember'] == 1) ? true: false;

setcookie('login_email', $_POST['login_email'], time()+60*60*24*365, '/','localhost',false);
setcookie('login_password', md5($_POST['login_password']), time()+60*60*24*365, '/','localhost',false);

 

HTML:

<strong class="normal"><input type="checkbox" name="remember" value="1">Remember</strong>

 

 

[MarPlo]

Hi,

Try use this code to set cookies:

setcookie('login_email', $_POST['login_email'], time()+60*60*24*365, '/');
setcookie('login_password', md5($_POST['login_password']), time()+60*60*24*365, '/');

In the code that gets values for login, check if there is the cookie to get the value from it

$login_email	= isset($_COOKIE['login_email']) ? $_COOKIE['login_email'] : request_var('login_email', '');
$login_password	= isset($_COOKIE['login_password']) ? $_COOKIE['login_password'] : request_var('login_password', '');[/code

[wadie]

Seems to be working..not sure..

 

To call the cookie I use:

 

if (empty($login_errors) && !$register_submit && logged_in() && !isset($_COOKIE['imgit_note']) || isset($_COOKIE['login_email']) && isset($_COOKIE['login_password']))
{
	echo '<div class="info" id="welcome_back">Welcome back <span class="capitalize">' . get_username() . '</span>
}

 

For some reason the username is Guests and the account isn't logged in. it only shows that the log in was successful.

[wadie]

and now logging in normally using the details stored in the cookie isn't working! it shows that the login details are wrong.

 

Need help ASAP please. 

[JonnoTheDev]

You should never store a username (email) / password in a cookie (even if it is hashed)! If I was to steal that cookie I would have: 1. access to your website, 2. the users email address. You should only store the user's ID (in the database), along with an access token. Read from the following url. The person does mention the username in a cookie but really that should be the user's ID

 

http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website

 

Most of the tutorials you see on the Internet for this do tell you to store usernames / passwords in cookies for a remember me option. They should be avoided at all costs and are written by people who don't care about the security of a website.

[JonnoTheDev]

http://jaspan.com/improved_persistent_login_cookie_best_practice

[wadie]

Thanks a lot!

 

But any idea why isn't it working ? 

[creata.physics]

Well didn't you say earlier that the username was set as Guest?

 

All security exploitable possibilities aside, I'd like to at least get your script to work, then you can worry about security later.

 

When you log in when clicking the remember me checkbox or whatever you use, does the username and password get stored properly in the cookies login_email and login password?

 

Once you get the correct information to set the appropriate cookies, you would then check if the cookies exist to find out whether or not to log the user in.

 

Some people think, well I have a login script, and if they set a cookie and I check those cookies then I'll display their username.  That's fine in theory, but not in logic.

 

Once you properly set the cookies, you script needs to check for those cookies, if the email and password match an existing users record, then you need to make a code that logs them in, not just displays their username from the cookie.  Otherwise, you're telling them who they are and such by the cookie, but their logged in data has still not been set.

[wadie]

Well didn't you say earlier that the username was set as Guest?

 

All security exploitable possibilities aside, I'd like to at least get your script to work, then you can worry about security later.

 

When you log in when clicking the remember me checkbox or whatever you use, does the username and password get stored properly in the cookies login_email and login password?

 

Once you get the correct information to set the appropriate cookies, you would then check if the cookies exist to find out whether or not to log the user in.

 

Some people think, well I have a login script, and if they set a cookie and I check those cookies then I'll display their username.  That's fine in theory, but not in logic.

 

Once you properly set the cookies, you script needs to check for those cookies, if the email and password match an existing users record, then you need to make a code that logs them in, not just displays their username from the cookie.  Otherwise, you're telling them who they are and such by the cookie, but their logged in data has still not been set.

 

Your post explains exactly what I did wrong !

 

The values are stored correctly in two cookies,but I guess only checking for the cookies won't display their username.

 

How do I do what you explained in the last paragraph ?

 

Thanks a lot mate.