0

I am working on an online newspaper/blogging application with CodeIgniter 3.1.8 and Twitter Bootstrap 4. The application, of course, has a login and registration system.

I am currently working on adding a "remember me" functionality to the login form.

In application\views\auth\login.php I have:

<?php echo form_open(base_url('login/login')); ?>
  <div class="form-group <?php if(form_error('email')) echo 'has-error';?>">
    <input type="text" name="email" id="email" value="<?php if(isset($_COOKIE['userEmail'])) { echo $_COOKIE['userEmail']; } ?>" class="form-control" placeholder="Email">
    <?php if(form_error('email')) echo form_error('email'); ?> 
  </div>
  <div class="form-group <?php if(form_error('password')) echo 'has-error';?>">
    <input type="password" name="password" id="password" value="<?php if(isset($_COOKIE['userPassword'])) { echo $_COOKIE['userPassword']; } ?>" class="form-control" placeholder="Password"> 
    <?php if(form_error('password')) echo form_error('password'); ?> 
  </div>
  <div class="form-group remember-me">
    <input type="checkbox" name="remember_me" value="true" id="remember_me">
    <span class="text text-muted">Remember me</span>
  </div>
  <div class="form-group">
    <input type="submit" value="Login" class="btn btn-block btn-md btn-success">
  </div>
<?php echo form_close(); ?>

In the controller (application\controllers\Login.php), I have:

public function login() {  
    $this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
    $this->form_validation->set_rules('password', 'Password', 'required|trim');
    $this->form_validation->set_error_delimiters('<p class="error-message">', '</p>');
    if ($this->form_validation->run()) {
      $email = $this->input->post('email');
      $password = $this->input->post('password');
    
      $this->load->model('Usermodel');
      $current_user = $this->Usermodel->user_login($email, $password);
        // If we find a user
      if ($current_user) {
        // If the user found is active
        if ($current_user->active == 1) {
          $this->session->set_userdata(
           array(
            'user_id' => $current_user->id,
            'user_email' => $current_user->email,
            'user_avatar' => $current_user->avatar,
            'user_first_name' => $current_user->first_name,
            'user_is_admin' => $current_user->is_admin,
            'user_active' => $current_user->active,
            'is_logged_in' => TRUE
            )
           );

           // Remember me
           if (!empty($this->input->post('remember_me'))) {
            setcookie ('userEmail', $email, time() + (7 * 24 * 3600));  
            setcookie ('userPassword', $password,  time() + (7 * 24 * 3600));
           } else {
            setcookie ('userEmail', ''); 
            setcookie ('userPassword','');
          }
          
          // After login, display flash message
          $this->session->set_flashdata('user_signin', 'You have signed in');
          //and redirect to the posts page
          redirect('/dashboard');
        } else {
          // If the user found is NOT active
          $this->session->set_flashdata("login_failure_activation", "Your account has not been activated yet.");
          redirect('login'); 
        }
      } else {
        // If we do NOT find a user
        $this->session->set_flashdata("login_failure_incorrect", "Incorrect email or password.");
        redirect('login'); 
      }
    }
    else {
      $this->index();
    }
}

The problem

For a reason I have been unable to spot, even when the remember_me checkbox is NOT checked, the login credentials are still remembered.

UPDATE

I went to application\config\config.php and replaced $config['sess_expiration'] = 7200 width:

$config['sess_expiration'] = 0;

As a result, the remembering does not happen anymore.

Where is my mistake?

Razvan Zamfir
  • 4,209
  • 6
  • 38
  • 252
  • have a look [here](https://stackoverflow.com/questions/25183792/what-is-meaning-of-remember-me-functionality-on-login-page) and [here](https://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website) for more on that topic – Vickel Sep 19 '21 at 14:47
  • Your code looks good, this might be browser's smartness. Now Chrome and Firefox also asks User's to remember credentials event though form do not have `Remember Me` Option. – Kamlesh Jha Sep 25 '21 at 07:19
  • @KamleshJha Try out the application. All the code is **[here](https://github.com/Ajax30/Bravecms/tree/remember-me)** (Github repo). – Razvan Zamfir Sep 25 '21 at 08:40
  • Are you talking about session, or remembering of the credentials after the user logs out? – martin.malek Sep 26 '21 at 11:38
  • @martin.malek You seem to be very knowledgeable of PHP. How would you do it? – Razvan Zamfir Sep 26 '21 at 12:16

3 Answers3

0

In your authentication checking script check the cookie expiration time too, once expired clear the session variables.

jozsefk
  • 59
  • 2
  • If the cookie expires, browser will delete that by itself. Also it's not possible to read expiration time on server. – martin.malek Sep 26 '21 at 11:47
0

Are you testing with Chrome? I think Chrome remembers the logged in state anyway (you're still logged in after closing and re-opening the browser), while other browsers, like Firefox, will lose the cookie on re-opening.

You can also test this here: https://demo.fleio.com/

waverider
  • 308
  • 2
  • 10
  • No, this depends on how you set the cookie. If the lifetime is set in future, it will remember it after reopening of the browser. If you don't set lifetime, it's considered session cookie and will be deleted when browser closes. Browser cannot remember logged state, browser doesn't know what that is. – martin.malek Sep 26 '21 at 11:34
  • Just that Chrome ignores that by default and remembers logged in state. It's configurable in Chrome though. – waverider Oct 09 '21 at 19:04
0
setcookie('userEmail', $email, 0, "/");
Ryan M
  • 18,333
  • 31
  • 67
  • 74
user17162956
  • 1