Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 8 of 8
  1. #1
    Regular Coder DR.Wong's Avatar
    Join Date
    Jan 2005
    Posts
    360
    Thanks
    23
    Thanked 1 Time in 1 Post

    Suggestion : Easiest way of making a "remember me" feature

    Hey everyone!

    My site uses sessions to keep a user logged in, until they close their browser that is..

    What would you say is the easiest way of implementing a remember me feature to keep them logged in?

    Thanks guys!
    -DR.Wong

    Wheres the food at?

  • #2
    New Coder
    Join Date
    Mar 2007
    Posts
    31
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Save their session to a cookie I would say

  • #3
    Regular Coder Iszak's Avatar
    Join Date
    Jun 2007
    Location
    Perth, Western Australia
    Posts
    332
    Thanks
    2
    Thanked 58 Times in 57 Posts
    I would say using a mysql table to store all the data with their ip, user id, last logined and a time for expiry like 1 week or so, because if you set a cookie, or what not it can easily be deleted, flat file is just too unsecured, and messy, then you have XML and I think you should just go with sql table because it saves the hassle with XML so yeah..

  • #4
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,036
    Thanks
    2
    Thanked 316 Times in 308 Posts
    The only identifying information that you get from any visitor on any visit to your site is their current IP address and any information that their browser supplies, like a cookie (including a cookie with a session ID) or parameters on the end of URL's...

    Since a majority of the people on the planet have a dynamically assigned IP address (and dial up connections get a different IP address on each connection), that means that the only real way to implement a "remember me" feature is to use a cookie to store a unique ID that only the cookie and your web server knows. Store this unique ID in your database along with the username. If you store the username in the cookie, and someone/virus has access to the visitor's computer or the data being exchanged, they will then know that person's actual username (someone knowing just a username could for example contact an inept support department and convince them to manually reset the password and give them access to an account.)
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.

  • #5
    Regular Coder DR.Wong's Avatar
    Join Date
    Jan 2005
    Posts
    360
    Thanks
    23
    Thanked 1 Time in 1 Post
    Thank you for all of the replies!

    When I first started thinking of the "remember me" feature I thought of using a cookie exactly how you suggested CFMaBiSmAd, with the ID inside.

    The thing that a hit a blank with was how to get my site to recognise the cookie from any page. I tried implementing an include in every page that would register some session variables from the database that corresponds to the ID in the cookie and it seemed to work somewhat, the problem is that the user only appears logged in after he/she clicks on at least one link in the site.

    The include registers the session variables before ANY of them are used by the rest of the pages, so I do not understand.

    Common scenario?
    -DR.Wong

    Wheres the food at?

  • #6
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    Remember that this poses a security issue.

    Just like with sessions, all they need is that ID and they have access to everything that you do.

    Only now they can do it whenever they want, instead of having to wait for you to log in. I'd recommend adding 1 or 2 additional limiting factors.

    the problem is that the user only appears logged in after he/she clicks on at least one link in the site.
    You most likely have to re-order the code in your pages. It mostly depends on how you did it though.

  • #7
    Regular Coder DR.Wong's Avatar
    Join Date
    Jan 2005
    Posts
    360
    Thanks
    23
    Thanked 1 Time in 1 Post
    The order of my page is as follows :

    [Included Page]
    Check if logged in, if not check for cookie.
    If cookie exists register session variables.
    [End included Page]
    <html>
    <?php
    ?>
    <html>

    It comes included before everything else.

    I moved my session_start(); to the included page instead of having it on the main page above the include. Mistake?

    I suppose a good security measure to add to the cookie would be a random string placed into the cookie everytime it is accessed which is saved to the users's row as well?
    -DR.Wong

    Wheres the food at?

  • #8
    Senior Coder CFMaBiSmAd's Avatar
    Join Date
    Oct 2006
    Location
    Denver, Colorado USA
    Posts
    3,036
    Thanks
    2
    Thanked 316 Times in 308 Posts
    What I wrote above was only meant to identify a visitor. Use a second cookie with a unique value in it (that you could change each time they visit your page) to determine if they are logged in or not. Requiring two pieces of unique matching information reduces the chance that someone can reverse engineer your values and log on through trying random/sequential values.

    To get specific help with why your code is not considering someone logged in until they click on a link, you would need to post your actual code.

    Either a session is not actually starting (due to content being output prior to the session start) or a cookie is being tested before it is actually being sent back by the browser (which happens on the next page visit following the page when the cookie was sent to the browser) or there is some other logic error.
    If you are learning PHP, developing PHP code, or debugging PHP code, do yourself a favor and check your web server log for errors and/or turn on full PHP error reporting in php.ini or in a .htaccess file to get PHP to help you.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •