Add "Remember Me" to Register & Login

Ask about general coding issues or problems here.

Moderators: macek, egami, gesf

User avatar
LyleCrumbstorm
New php-forum User
New php-forum User
Posts: 2
Joined: Fri Apr 05, 2013 4:47 pm
Location: Colorado, USA

Add "Remember Me" to Register & Login

Postby LyleCrumbstorm » Tue Apr 16, 2013 9:48 am

I know many people including myself have struggled with this for some time. If anyone can solve you are sure to be a hero amongst many..

phpacademy.org posted a 44 video series on building a Register & Login system and then another 6 video series on a login system with a "Remember Me" cookie-setting/auto-login feature. Unfortunately these 2 series do not result in one combined end result. The following is taken from the login routine from the "Register & Login" series. The question is, how can a "Remember Me" feature be added to this? I personally end up in an endless loop on my best efforts.

When a visitor signs in a session is started, their username & password are checked against the database and if everything checks, a session_user_id is created:

Code: Select all

if (logged_in() === true) {
   $session_user_id = $_SESSION['user_id'];
   $user_data = user_data($session_user_id, 'user_id', 'username', 'password');
   if (user_active($user_data['username']) === false) {
      session_destroy();
      header('Location: index.php');
      exit();
   }
}


The function logged_in() is written as:

Code: Select all

function logged_in(){
   return (isset($_SESSION['user_id'])) ? true : false;
}


my personal modification to this which has not worked:

Code: Select all

//function logged_in(){
//   if (isset($_SESSION['user_id']) || isset($_COOKIE['username']))
//   {
//      $logged_in = TRUE;
//      return $logged_in;   
//   }
//   }



On the Login page the visitor's information is checked against the database and a session is started if everything passes:

Code: Select all

if (empty($_POST) === false) {
   $username = $_POST['username'];
   $password = $_POST['password'];
   $rememberme = $_POST['rememberme'];
   
   if (empty($username) === true || empty($password) === true) {
      $errors[] = 'error msg';
   } else if (user_exists($username) === false) {
      $errors[] = 'error msg';
   } else if (user_active($username) === false) {
      $errors[] = 'error msg';
   } else {
   $login = login($username, $password);
   if ($login === false) {
      $errors[] = 'That username/password combination is incorrect.';
      } else {
      $_SESSION['user_id'] = $login;
      header('Location: index.php');
      exit();


Further down the page is the login form with fields represented above.

my personal modification to this which has not worked:

Code: Select all

//} else {
//   if ($rememberme == "on") {
//      setcookie("username", "$username", time()+7200);
//      header('Location: index.php');
//   } else if ($rememberme == "") {
//      $_SESSION['user_id'] = $login;
//      header('Location: index.php');
//   exit();


What am I leaving out? What am I overlooking? What information have I skipped over here? Any help is deeply appreciated. I will quickly provide any additional necessary information.

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Add "Remember Me" to Register & Login

Postby seandisanti » Tue Apr 16, 2013 10:33 am

Are you trying to do this with an object oriented approach? Here's my login_success() function from an old user object. This is being called with an associative array $record which is generated at login, and the password being stored isn't the password the user entered, but actually the encrypted password minus the salt.

Code: Select all


    private function login_success
($record)
    {
        $_SESSION['uid']=$record['id'];
        $_SESSION['firstName']=$record['first_name'];
        $_SESSION['lastName']=$record['last_name'];
        $_SESSION['email']=$record['email'];
        $_SESSION['user_type_id']=$record['user_type_id'];
        if (isset($_POST['mem']))
        { //wants to be remembered
            setcookie('pw',$record['password'],time()+3600*24*30);
            setcookie('id',$_SESSION['uid'], time()+3600*24*30);
        }    
        redirect_to
('dashboard.php');
    }


***edit for clarification***
do not store your users' passwords as plain text, or even reversible encryptions thereof. The user table supporting the function listed had a 'password' field that contained the md5'd sha1 of the password they entered and a random salt which was stored in another field.

Basically when a user signed up and created their password, a salt was generated, added to their entered pass, and then the concatenation was sha1'd. THAT result then had the salt added to it again, and was md5'd. The result of that was stored in the password field. At login time, the record is loaded first behind the scenes based on username or email, and the attempted password goes through the same hashing procedure with the same salt, and success is determined based on whether they match. On success the function above is called to load relevant fields into the session, and create a cookie if they wish to be remembered.

User avatar
LyleCrumbstorm
New php-forum User
New php-forum User
Posts: 2
Joined: Fri Apr 05, 2013 4:47 pm
Location: Colorado, USA

Re: Add "Remember Me" to Register & Login

Postby LyleCrumbstorm » Tue Apr 16, 2013 12:31 pm

If it wasn't obvious, I should have pointed out that I am a complete novice. You just introduced me to a new term, "salt" that I am unfamiliar with. I can say that the password is md5 encrypted though!

Here are the functions that lead up to logged_in() in case they tell you anything. I have put in countless hours trying to figure this out myself as I feared I'd end up here looking like a moron asking a stupid question. Well it's out now - I'm a PHP noob!

Code: Select all

function logged_in(){
   return (isset($_SESSION['user_id'])) ? true : false;
}

function user_exists($username) {
   $username = sanitize($username);
   return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username'"), 0) == 1) ? true : false;
}

function email_exists($email) {
   $email = sanitize($email);
   return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `email` = '$email'"), 0) == 1) ? true : false;
}

function user_active($username) {
   $username = sanitize($username);
   return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `active` = 1"), 0) == 1) ? true : false;
}

function user_id_from_username($username) {
   $username = sanitize($username);
   return mysql_result(mysql_query("SELECT `user_id` FROM `users` WHERE `username` = '$username'"), 0, 'user_id');
}

function user_id_from_email($email) {
   $email = sanitize($email);
   return mysql_result(mysql_query("SELECT `user_id` FROM `users` WHERE `email` = '$email'"), 0, 'user_id');
}

function login($username, $password) {
   $user_id = user_id_from_username($username);
   
   $username = sanitize($username);
   $password = md5($password);
   
   return (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'"), 0) == 1) ? $user_id : false;
}

seandisanti
php-forum Fan User
php-forum Fan User
Posts: 838
Joined: Mon Oct 01, 2012 12:32 pm

Re: Add "Remember Me" to Register & Login

Postby seandisanti » Tue Apr 16, 2013 2:18 pm

md5 alone is not secure enough of an encryption, because of the proliferation of rainbow tables on the net, you can unfortunately often un-md5 just by googling the hash. can be confirmed by changing the literal string in the $badPass assignment below:

Code: Select all

<?php
$badPass
=md5('TestPassword');
header('location:http://md5.rednoize.com/?q=' $badPass '&s=md5');
 

The site i'm redirecting to for the answer above was just the first result on google when i searched for the hashed value of the password.
Because md5 is so secure, it really can't be relied upon to protect anything but the most trivial of data. So what a lot of people will do, like I do, is use md5 as a wrapper around a better one way encryption like bcrypt, sha1, etc.
A salt is a random variant that complicates the algorithm a bit. Say you use a fixed string, 'salt' as a salt. you would take the string to be encrypted, and add the salt, then encrypt, and then either store the salt somewhere in another field, or tack it onto the end again. personally I like to use md5 after another encryption or two, then add the salt to the end of the result, because md5 results will always be 32 characters, but a salt can be used to make the length consistent with another encryption type etc. here's an example of generating a salted hash, it's still just using md5, but it's a much better implementation.

Code: Select all

<?php

$salt 
'salt';
$pass 'TestPassword';
$saltedHash md5($pass.$salt).$salt;
header('location:http://md5.rednoize.com/?q=' $saltedHash);
 


Return to “PHP coding => General”

Who is online

Users browsing this forum: No registered users and 2 guests