Remember Me for logins

Posted on September 19, 2007
Filed Under Tips, Development, blog |

Nothing much

Another day in the office. I didn't sleep last night, watched UEFA Champions League (Liverpool vs FC Porto, 1-1). I didn't watch the first half, but the rest is quite dull. I slept earlier in the evening so I didnt feel sleepy too much.

System

Anyway, there's an event management system that we're doing. Won't come out anytime soon, and it'll probably be proprietary. I'll find a reason to make it open source after it takes off.

Interakt

The system uses the interakt (MX Kollection 3.0) stuffs, framework or not its horrible. The thing is tightly integrated and stuffs are passed around here and there. Maybe my understanding of OO concepts ain't as solid but CI doesn't give me any problems, I can understand it clearly. Its simple and it does it well. It was implemented with CI previously, but my boss wanted to scrap it, I guess he can't get involved with it too much if I use CI, which frustrates him.

Remember Me, You and Me Again

remember.jpg

Enough about MX Kollection, what I've been searching for is the best practices for Remember Me feature for the login. Practical PHP Programming doens't have it, so I googled and browsed a few sites and after lots reading found a few.

And I went to search a little bit about cookie hijacking. After a while, I guess I have to accept it is a disadvantage of implementing the Remember Me feature.

One thing I noticed on Joe Tutorials and Scriptygoddess is they use 2 variables for storing information. Why did do that? Why can't they use just one variable? Example (this is the one that I did):

After authentication:

PLAIN TEXT
PHP:
  1. if($_POST['remember_me'] == 1)
  2. {
  3.     $hash = sha1($row['uid'] . random_string());
  4.     setcookie('something', $hash, time()+60*60*24*14); // 2 weeks
  5.     $sql_query = sprintf("UPDATE `user` SET remember_me = '%s' WHERE username = '%s' AND password = '%s'", $hash, $row['username'], mysql_real_escape_string(md5($_POST['password'])) );
  6.     mysql_query($sql_query, $conn) or die(mysql_error());
  7. }

Auto login:

PLAIN TEXT
PHP:
  1. if(isset($_COOKIE['eventuz'])) {
  2. {
  3.     $remember_hash = $_COOKIE['eventuz'];
  4.     $sql_query = sprinf("SELECT * FROM `user` WHERE remember_me = '%s'", mysql_real_escape_string($remember_hash));
  5.     $result = mysql_query($sql_query, $eventuz);
  6.     if(mysql_num_rows($result) == 1)
  7.     {
  8.         $row = mysql_fetch_assoc($result);
  9.         if($row['active'] == 1)
  10.         {
  11.             $_SESSION['user_id'] = $row['uid'];
  12.             $_SESSION['username'] = $row['username'];
  13.             $_SESSION['logged_in'] = TRUE;
  14.         }
  15.     }
  16. }

Final Thoughts

I think there's a way to prevent cookies from being fished retrieved by malicious website. Something along the way of changing to random string every week and keeps it in the database and compare each of the entry and find out if it exists (which could take alot of resources).

If anyone knows about this, feel free to inform me. I'm still learning.

Comments

Leave a Reply