11

I have a login system. How can I implement a secure remember me system using cookies.

What value should I have to store in cookie username and password, but how I can secure it?

alex
  • 479,566
  • 201
  • 878
  • 984
Saqueib
  • 3,484
  • 3
  • 33
  • 56
  • i have tried storing username and password in cookie – Saqueib Sep 05 '10 at 07:35
  • 1
    OK. Thats a start. But if I intercept that cookie, then you're left exposed. Look at the following: http://stackoverflow.com/search?q=php+session+hijacking – Russell Dias Sep 05 '10 at 07:39
  • Bad idea. Not only can anyone on that machine read the user+pass combo, but any XSS that sends `document.cookie` will be able to view your username/pass verbatim. – alex Sep 05 '10 at 07:40
  • 1
    I.e. you want to at least make it unattractive to target your auto-login system by reducing the possible damage. In my opinion a viable solution a) _must_ include a temp. key that is used instead of the actual user/password b) _should_ mention the http_only attribute for cookies and maybe the domain/path attributes. c) _should_ mention not to trust this type of "login" and when and where it should be required to enter the password. – VolkerK Sep 05 '10 at 09:38
  • You should re-use an existing authentication framework whenever possible, because, really, it's complex. For example, take a look at https://github.com/delight-im/PHP-Auth – caw Sep 21 '16 at 02:10

4 Answers4

1

define A Salt foreach user in db then

on setting

$expire_time = time() + 2 * 7 * 24 * 3600; // 2 weeks exp time

setcookie( 
    "rememberMe",
    crypt($username, $salt),
    $expire_time,
    '/'
);

on validating

$_COOKIE['rememberMe'] === crypt($username, $salt)
Community
  • 1
  • 1
hesam jaferi
  • 54
  • 3
0

Maybe you should store (in your DB) visitor IP, User Agent, time zone or installed plugins. Something that might be easy to get using Javascript, since getting MAC address might be a problem.

Then you can easily check if user has same IP, UA, time zone or plugins as last time :) Or you might use MaxMind to check his location and confirm if he is using correct time zone. If there's anything suspicious you should discard cookie credentials.

sstevan
  • 477
  • 2
  • 9
  • 25
0

Maybe you could create a 16 char letter/number string that is associated in a database with that user and the mac address so that (as long as people aren't trying too hard and spoofing macs) only that machine can log on.

David Watson
  • 2,031
  • 2
  • 13
  • 17
-1

There's not much to it... don't let your session files get cleaned up (ini setting session.gc_probability = 0), and change the session cookie from temporary to permanent (ini setting session.cookie_lifetime = however_long_you_want_the_user_to_be_remembered).

Of course, you'd probably want to eventually clean up stale session files, so you could experiment with a very low probability of the cleanup occuring, or do some external cleanup. Either way, as long as the user keeps the session cookie around and you keep the session file around, they'll be "remembered".

Marc B
  • 356,200
  • 43
  • 426
  • 500
  • 2
    I think a cookie set with `setcookie()` would be a better idea rather than let sessions never expire. – alex Sep 05 '10 at 07:41
  • 1
    Well, either way, if the user's remembered, the session will be recreated, so might as well keep it around. You can always strip out critical data if there's a large time lapse between visits when the next visit does come in. – Marc B Sep 05 '10 at 07:52