Thread: Remember Me

    #1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2006
    Posts
    67
    Rep Power
    9

    Remember Me


    Hi everyone
    i was wondering if anyone can tell me of a good place to get a tutorial that is up to date, on how to add a remember me to my site. I made up this little script to add, but something is tell me that it can be done better thanks...
    PHP Code:
    if ($rememberMe == "rememberMe"){
        
    $rememberMe "1";
        }else{
        
    $rememberMe "0";
    }
    //Code here
    if($rememberMe=="1"){
        
    setcookie("rememberCookiename",$user,(time()+604800));
        
    setcookie("rememberCookiePass",md5($pass),(time()+604800));
    }
    header("Location: users");
    }
    else{
        
    $datetime date("d")*10000000000 date("m")*100000000 date("Y")*10000 date("G")*100 date("i"); 
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    There's a thing called session:
    http://www.php.net/manual/en/intro.session.php

    By the way, don't do this "$rememberMe = "1";". This is not BASIC.
  4. #3
  5. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    Do not ever store a password in the cookie, even hashed.

    The "remember me" function is a lot more complex than you think. An auto-login cookie is stored on the user's machine containing a one-time-use key which matches a key stored in the database. Also in the database are information about the user's IP, user-agent, and operating system.

    When a user with a remember-me cookie visits the site, the additional information plus the key are looked up in the database and compared to the information coming from the user. If it all matches, then the user is given a valid login session as if they had logged in properly.

    At this point, they are given a new "remember me" cookie with a new key.

    Don't just stick their password in their cookie, then you can masquerade as anyone once you figure it out. Cookies are also not secure.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  6. #4
  7. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2007
    Location
    Glendale AZ
    Posts
    188
    Rep Power
    93
    Originally Posted by ManiacDan
    Do not ever store a password in the cookie, even hashed.

    The "remember me" function is a lot more complex than you think. An auto-login cookie is stored on the user's machine containing a one-time-use key which matches a key stored in the database. Also in the database are information about the user's IP, user-agent, and operating system.

    When a user with a remember-me cookie visits the site, the additional information plus the key are looked up in the database and compared to the information coming from the user. If it all matches, then the user is given a valid login session as if they had logged in properly.

    At this point, they are given a new "remember me" cookie with a new key.
    I know not to store the password in a cookie and setup a key to check but didn't even think about adding IP etc... Great idea. Now to implement...
  8. #5
  9. Mad Scientist
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Oct 2007
    Location
    North Yorkshire, UK
    Posts
    3,661
    Rep Power
    4124
    Beware the EU cookie laws

    In this bureaucratic ****-hole most call Europe, site owners must gain explicit consent from site users to store cookies that are not absolutely required in order to deliver the service, and another level of consent if you wish to store information about the user on the user's computer/device.

    How this is regionally enforceable in a global internet, I'm not quite sure (eg if you are an American, hosting an american site in america and had users in the UK.....would this apply to you? I dunno)

    To make matters..."more interesting"...the EU gave the directive and left it up to member states to choose how the directive is implemented/specific rules/enforcement; apparently Germany is very strict
    I said I didn't like ORM!!! <?php $this->model->update($this->request->resources[0])->set($this->request->getData())->getData('count'); ?>

    PDO vs mysql_* functions: Find a Migration Guide Here

    [ Xeneco - T'interweb Development ] - [ Are you a Help Vampire? ] - [ Read The manual! ] - [ W3 methods - GET, POST, etc ] - [ Web Design Hell ]
  10. #6
  11. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6352
    if you are an American, hosting an american site in america and had users in the UK.....would this apply to you? I dunno
    Recent proceedings against megaupload and others have shown that you could be extradited from your country of origin into the country in which you would be breaking the law, then arrested and tried.

    However, that's unlikely to happen for the cookie law since it's there to protect normal citizens, not corporate profits. People are less important.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.

IMN logo majestic logo threadwatch logo seochat tools logo