View Full Version : Suggestion : Easiest way of making a "remember me" feature

09-05-2007, 12:55 PM
Hey everyone!

My site uses sessions to keep a user logged in, until they close their browser that is..

What would you say is the easiest way of implementing a remember me feature to keep them logged in?

Thanks guys!

09-05-2007, 01:01 PM
Save their session to a cookie I would say :)

09-05-2007, 01:02 PM
I would say using a mysql table to store all the data with their ip, user id, last logined and a time for expiry like 1 week or so, because if you set a cookie, or what not it can easily be deleted, flat file is just too unsecured, and messy, then you have XML and I think you should just go with sql table because it saves the hassle with XML so yeah..

09-05-2007, 03:07 PM
The only identifying information that you get from any visitor on any visit to your site is their current IP address and any information that their browser supplies, like a cookie (including a cookie with a session ID) or parameters on the end of URL's...

Since a majority of the people on the planet have a dynamically assigned IP address (and dial up connections get a different IP address on each connection), that means that the only real way to implement a "remember me" feature is to use a cookie to store a unique ID that only the cookie and your web server knows. Store this unique ID in your database along with the username. If you store the username in the cookie, and someone/virus has access to the visitor's computer or the data being exchanged, they will then know that person's actual username (someone knowing just a username could for example contact an inept support department and convince them to manually reset the password and give them access to an account.)

09-05-2007, 03:12 PM
Thank you for all of the replies!

When I first started thinking of the "remember me" feature I thought of using a cookie exactly how you suggested CFMaBiSmAd, with the ID inside.

The thing that a hit a blank with was how to get my site to recognise the cookie from any page. I tried implementing an include in every page that would register some session variables from the database that corresponds to the ID in the cookie and it seemed to work somewhat, the problem is that the user only appears logged in after he/she clicks on at least one link in the site.

The include registers the session variables before ANY of them are used by the rest of the pages, so I do not understand.

Common scenario?

09-05-2007, 05:18 PM
Remember that this poses a security issue.

Just like with sessions, all they need is that ID and they have access to everything that you do.

Only now they can do it whenever they want, instead of having to wait for you to log in. I'd recommend adding 1 or 2 additional limiting factors.

the problem is that the user only appears logged in after he/she clicks on at least one link in the site.

You most likely have to re-order the code in your pages. It mostly depends on how you did it though.

09-05-2007, 05:36 PM
The order of my page is as follows :

[Included Page]
Check if logged in, if not check for cookie.
If cookie exists register session variables.
[End included Page]

It comes included before everything else.

I moved my session_start(); to the included page instead of having it on the main page above the include. Mistake?

I suppose a good security measure to add to the cookie would be a random string placed into the cookie everytime it is accessed which is saved to the users's row as well?

09-05-2007, 05:53 PM
What I wrote above was only meant to identify a visitor. Use a second cookie with a unique value in it (that you could change each time they visit your page) to determine if they are logged in or not. Requiring two pieces of unique matching information reduces the chance that someone can reverse engineer your values and log on through trying random/sequential values.

To get specific help with why your code is not considering someone logged in until they click on a link, you would need to post your actual code.

Either a session is not actually starting (due to content being output prior to the session start) or a cookie is being tested before it is actually being sent back by the browser (which happens on the next page visit following the page when the cookie was sent to the browser) or there is some other logic error.