#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    307
    Rep Power
    1

    Question Are These Persistent Cookie Ideas Safe And Interesting ?


    Php Masters!

    Every php persistent cookie tutorial I come across always save the user's password onto the user's hdd. To make things worst. Save it on the hdd without encrypting it.
    Now, I thought it would be best if the cookie got named under the user's computer mach address and the mach address got saved in the db.
    Then, when the user loads the login page, the cookie can check it's cookie name against the db and if there is a match then auto log the user into his/her account.
    But, now I read, it is not possible to acquire the user's mach address unless uservon same lan of my webserver.

    Q1a. So, what else can act as a substitute for the mach address ? What else can php grab from the user's computer which it can use as a reference against the Username to identify that it is the same user ?
    IPs change. No good using that.

    Q1b. How-about the user's computer name ? Can it grab that from the user's computer so it can use that as the mach substitute or use that as the cookie name ?

    Q1c. Or maybe I just get the script to name the cookie in this format:

    username-ip

    And make that cookie available as long as the user has not got his/her ip changed.
    That way, when the user loads the login page whilst the ip hasn't changed, the cookie can check it's cookie name (username-ip) against the db and if there is a match then auto log the user into his/her account. What do you think ?
    Can you guys show me how to do this by editing my code ?
    I have been googling all night and reading whatever I find on the subject. But, I am still stuck and need to see some code samples to clear the confusion.

    PHP Code:
        <?php
        session_start
    ();
        if(!empty(
    $_POST["login"])) {
            
    $conn mysqli_connect("localhost""root""""blog_samples");
            
    $sql "Select * from members where member_name = '" 
        
    $_POST["member_name"] . "' and member_password = '" 
        
    md5($_POST["member_password"]) . "'";
            
    $result mysqli_query($conn,$sql);
            
    $user mysqli_fetch_array($result);
            if(
    $user) {
                    
    $_SESSION["member_id"]           = $user["member_id"];
                
                    if(!empty(
    $_POST["remember"])) {
                        
    setcookie ("member_login",$_POST["member_name"],time()+ (10 
        
    365 24 60 60));
                        
    setcookie 
        
    ("member_password",$_POST["member_password"],time()+ (10 365 24 60 60));
                    } else {
                        if(isset(
    $_COOKIE["member_login"])) {
                            
    setcookie ("member_login","");
                        }
                        if(isset(
    $_COOKIE["member_password"])) {
                            
    setcookie ("member_password","");
                        }
                    }
            } else {
                
    $message "Invalid Login";
            }
        }
        
    ?>    
        <style>
        #frmLogin {
            padding: 20px 60px;
            background: #B6E0FF;
            color: #555;
            display: inline-block;        
            border-radius: 4px;
        }
        .field-group {
            margin-top:15px;
        }
        .input-field {
            padding: 8px;
            width: 200px;
            border: #A3C3E7 1px solid;
            border-radius: 4px;
        }
        .form-submit-button {
            background: #65C370;
            border: 0;
            padding: 8px 20px;
            border-radius: 4px;
            color: #FFF;
            text-transform: uppercase;
        }
        .member-dashboard {
            padding: 40px;
            background: #D2EDD5;
            color: #555;
            border-radius: 4px;
            display: inline-block;
        }
        .member-dashboard a {
            color: #09F;
            text-decoration:none;
        }
        .error-message {
            text-align:center;
            color:#FF0000;
        }
    </style>

        <?php if(empty($_SESSION["member_id"])) { ?>
        <form action="" method="post" id="frmLogin">
        <div class="error-message"><?php if(isset($message)) { echo $message; } ?>
        </div>    
            <div class="field-group">
                <div><label for="login">Username</label></div>
                <div><input name="member_name" type="text" value="<?php 
        
    if(isset($_COOKIE["member_login"])) { echo $_COOKIE["member_login"]; } ?>
        class="input-field">
            </div>
            <div class="field-group">
                <div><label for="password">Password</label></div>
                <div><input name="member_password" type="password" value="<?php 
        
    if(isset($_COOKIE["member_password"])) { echo $_COOKIE["member_password"]; } 
        
    ?>" class="input-field"> 
            </div>
            <div class="field-group">
                <div><input type="checkbox" name="remember" id="remember" <?php 
        
    if(isset($_COOKIE["member_login"])) { ?> checked <?php ?> />
                <label for="remember-me">Remember me</label>
            </div>
            <div class="field-group">
                <div><input type="submit" name="login" value="Login" class="form-
        submit-button"></span></div>
            </div>       
        </form>
        <?php } else { ?>
        <div class="member-dashboard">You have Successfully logged in!. <a 
        href="logout.php">Logout</a></div>
        <?php ?>
    Q1d. What do you think about this unique idea ? Let me know if the idea is flawed or not.
    During registration, the system would ask the user to upload any img.
    During persistent cookie checking (meaning, when the user has loaded the login.php or home.php), the user would be shown a list of imgs to select. If he/she selects the right one they uploaded during registration then the system (cookie) would auto log them in.
    Alternatively, the user can be shown a question and a few answer options in a checkbox or dynamic drop down ui that list the correct answer aswell as the incorrect answers. If the user selects the correct answer from the answering options then the user is auto logged in. Clicking the mouse is simpler than typing the username & password. And so, this little id check won't bother the user that much. Would it bother you, as a user ?

    Alternatively, the user can be shown a list of imgs where an img can be of his/her family member (eg, brother, uncle) and a question that asks "what is this person to you ?" and show a few answer options in a checkbox such as:
    1. Brother;
    2. Uncle;
    3. Friend;

    etc. If the user selects the right answer then he/she is auto logged in. Else not.
    If you like any of the ideas mentioned in Q1d, then how-about editing my code and showing us newbies a sample code on how to achieve the one you liked ?

    Thanks!
    Last edited by UniqueIdeaMan; October 13th, 2017 at 07:33 AM.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2016
    Posts
    100
    Rep Power
    50
    On August 26, 2017, in one of the forums you have posted in, someone took the time to write out how to do a remember me -
    If you want a 'remember me' feature, at the point where the user has successfully logged in, generate a unique random token, store this in a cookie and store it in a column in your users table. if the visitor returns to your site and the login session variable doesn't exist and the cookie does, use the token value from the cookie to query for the user's id. if found, store the user's id in the session variable, the same as if they had just logged in via a username/password.

    Comments on this post

    • UniqueIdeaMan agrees
  4. #3
  5. Banned (not really)
    Devshed Supreme Being (6500+ posts)

    Join Date
    Dec 1999
    Location
    Caro, Michigan
    Posts
    14,810
    Rep Power
    4536
    The above answers the first three questions. You don't understand the answer, so you're going down a worthless rabbit hole.

    The last "unique" idea, lol, is taking best security practices and putting them in a blender with a heaping pile of **** and blending it up.
    -- Cigars, whiskey and wild, wild women. --
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    307
    Rep Power
    1
    Originally Posted by Sepodati
    The above answers the first three questions. You don't understand the answer, so you're going down a worthless rabbit hole.

    The last "unique" idea, lol, is taking best security practices and putting them in a blender with a heaping pile of **** and blending it up.
    FYI, I do understand the answer as it is nothing new than what a lot of tutorials or "security" articles discuss. It's just I'll need to ponder deep on how to do all that. The token checking and all that.
    How To Grab Cookie Token From User Hdd ?
    Last edited by UniqueIdeaMan; October 14th, 2017 at 03:22 PM.
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    307
    Rep Power
    1
    Originally Posted by DSmabismad
    On August 26, 2017, in one of the forums you have posted in, someone took the time to write out how to do a remember me -
    I gave you a REP. But, where exactly is that thread of mine ? What was it called ? Can you remember ? I might aswell check it out, again.
    Last edited by UniqueIdeaMan; October 14th, 2017 at 03:23 PM.
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2017
    Posts
    307
    Rep Power
    1
    Does anybody else remember that thread of mine ?
    Last edited by UniqueIdeaMan; October 14th, 2017 at 03:27 PM.

IMN logo majestic logo threadwatch logo seochat tools logo