2

I am building a website in PHP but I am unsure how I should handle the 'Remember me' option that users have during the login process.

I am unsure whether the save the username and password in JavaScript storage and automatically fill it whenever the user is prompted with the login process again (I doubt this option as it would be very insecure) or somehow make the PHP session never expire (is this even possible?).

Here is the current login script:

<?php

include_once("connection.php");

session_start();

if (!empty($_POST)) {
    $sth = $dbh->prepare("SELECT customer_number FROM customers WHERE username = :username AND password = :password");
    $sth->bindValue(':username', $_POST['username'], PDO::PARAM_STR);
    $sth->bindValue(':password', $_POST['password'], PDO::PARAM_STR);
    $sth->execute();
    $result = $sth->fetchAll();

    if (!empty($result)) {
        $_SESSION['customer_number'] = $result[0]['0'];
        header("Location: /");
    }

    else {
        header("Location: /");
    }      
}

?>

The 'Remember me' option is accessible via $_POST['remember'].

Deep Kakkar
  • 5,831
  • 4
  • 39
  • 75
Jack
  • 515
  • 1
  • 5
  • 17
  • You should set a cookie so it lasts longer than on the closing of the browser. – TeeDeJee Jun 16 '15 at 12:02
  • You need to use cookies... – Deep Kakkar Jun 16 '15 at 12:07
  • Do I have to use cookies (is there no method to do it using sessions)? – Jack Jun 16 '15 at 12:07
  • maybe useful: [What is the best way to implement “remember me” for a website?](https://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website) Also: [Remember me Cookie best practice?](https://stackoverflow.com/questions/7214458/remember-me-cookie-best-practice) – Ryan Vincent Jun 16 '15 at 12:08

4 Answers4

2

When ever user logs in after checking Remember Me option, create a cookie with a tokenid

Steps that you can follow:

1) Create a random token id and store it in the database along with the userId and expiration time.

2) Store this cookie id and tokenid in cookie when user logs in.

Authentication:

If the persistent cookie is found check whether the record exists for that cookie and check that the token matches with the one in the database

Also check for the expiration time and UserId

Also check out the best practices on how to implement it from HERE

also there is a good SO Question on how to implement this feature

Community
  • 1
  • 1
Abhinav
  • 8,028
  • 12
  • 48
  • 89
1

Try below code: 

if (isset($_POST['remember']) and $_POST['remember'] == "Yes") {
        setcookie("username", $_POST['username'], time() + 60 * 60 * 24 * 100, "/");
        setcookie("password", $_POST['password'], time() + 60 * 60 * 24 * 100, "/");
} else {
        setcookie("username", "", time() + 60 * 60 * 24 * 100, "/");
        setcookie("password", "", time() + 60 * 60 * 24 * 100, "/");
}
Dhaval Bharadva
  • 3,053
  • 2
  • 24
  • 35
0

You will be set a cookie. Session is Server and will be delete in server off (you close browser)

setcookie("customer_number", $result[0]['0'], time() + 60, "/");

Time is one minutes and "/" is all pages.

Saeed Rahmani
  • 650
  • 1
  • 8
  • 29
0
<?php
if(isSet($cookie_name))
{
    // Check if the cookie exists
if(isSet($_COOKIE[$cookie_name]))
    {
    parse_str($_COOKIE[$cookie_name]);

    // Make a verification

    if(($usr == $_POST['username']) && ($hash == md5($_POST['password'])))
        {
        // Register the session
        $_SESSION['username'] = $_POST['username'];
        }
    }
}
?>

Some helpful answers: How to implement remember me feature?

http://www.downwithdesign.com/web-development-tutorials/adding-remember-feature-php-login-script/

http://www.bitrepository.com/php-autologin.html

Community
  • 1
  • 1
Vishal Bharti
  • 185
  • 1
  • 9