2 questions based on a remember form details

[j.smith1981]

Hi there got a bit of a logic question here.

 

I have been looking at doing a remember username and password for a persons login form.

 

You'd need to set this as a cookie right? But when doing so would you place it just as the user has entered the form, or when the user has actually successfully logged in, I know mostly this 1st question would be up to me, but what would you do in your own opinion?

 

On a second note to that, I have been going on this logic, just to try and work it out for myself but it keeps coming out with the encrypted password, is there a much better tutorial than going off my own assumptions?

 

Here's the logic:

<?php
session_name('jeremysmith_remember_login');
session_start();

ini_set('display_errors', true);

// see whats in the cookies overall!
print_r($_COOKIE);


// now do logic on the form example:
if(!array_key_exists('login', $_POST)) {
  
  $message = 'User has not logged in yet, please login below:';
  
  require 'form.php';

  
} else {
  
  if(strlen(trim($_POST['username'])) > 0 && strlen(trim($_POST['password'])) > 0) {
  
    // now save them to a cookie maybe?
  
    
mysql_connect('localhost', '******', '*****') or die (mysql_error());
mysql_select_db('test') or die (mysql_error());

$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);

$sql =  sprintf("SELECT * FROM users WHERE username LIKE '$username' AND password LIKE sha1('$password')");
$result = mysql_query($sql) or die (mysql_error());

if($result) {
  
  if(mysql_num_rows($result) === 1) {
  
    $_SESSION['logged_in'] =  true; // this will be our only check for now though!

        if(IsSet($_POST['remember_login'])) {
	  
	  // but don't remember if they have not logged in, what would be the point in that?
	  setcookie("username", $_POST['username']);
	  setcookie("password", $_POST['password']);
	  
	  header('location: success.php');
	}
    
  }
  
} else {

  die(mysql_error());
  
}

  } else {
    
$username = trim($_POST['username']);

$error = 'You did not enter all the fields required to login, please try again';
require 'auth_form.php';

  }
}

 

I am just a bit confused, any guidance is massively appreciated,

Jeremy.

[PFMaBiSmAd]

For a 'remember me' feature, you should NOT store the actual userid/username/password in cookies. Anyone with physical or electronic access to the computer data can get the actual userid/username and password and then could log in as that person, every place that person used that same username/password.

 

To identify who someone is (but not if they are logged in), you would generate a unique and hard to guess value and store this in the cookie and store it in the row in the user table for that person. You would then use that value from the cookie to get the actual userid/username (and logged in state) from the user table to store in session variables when they come to your site. If you search the forum for 'uniqid' under my forum's username, you will find several posts concerning this.

 

For a more sophisticated log in system like this (with a remember me feature), you should also store the logged in/logged out state in the row in the user table for that person and test it on every page request so that if the person does log out or you log them out automatically after a period of inactivity, just having and supplying a matching unique id value in a cookie does not consider the visitor to be logged in, they must supply the username/password to become logged in.

[j.smith1981]

Sorry just wanted to go over this again and see how it compares to my understanding of what you said, I am a little confused about what you said that's all.

 

I really massively appreciate your reply and wanted to make sure I understand it.

 

So you would only save this information if the user was previously successful in logging in I take it? I mean that's fine either way I think just wanted to get someone's opinion on this.

 

But you would only save their userid in a session? That makes sense, because providing that one would never leave that information on how the database looks to the user (why would they?) then it would be a complete guess as to what their true username is, but the down side is they'd have it filled in on the form anyway, the only possible way of securing that's SSL but this is a piece of work where that kind of systems not really that important.

 

You'd then if the cookie exists I would have thought logically where there is a userid greater than say 0 then the script would login to the database server, check to see what the username is for that userid, but how would you go for the password if it's encrypted?

 

I mean that's what I honestly do not get, there are sites where people are able to but how would you go about getting that back at all by doing that?

[j.smith1981]

Oh scratch that sorry I was thinking way too literally as if the user was on that one table, no you are quite right but really erm.

 

So I would say trying to think this concept through logically.

 

So you are suggesting (excuse my last part of my previous reply), I would get the user to login successfully save maybe the session_id to a cookie, that would say be existing in a table for users, with a link maybe to their userid, I mean trying to think this through logically where I am not saving the user's password in the database anywhere but finding this really confusing.

 

Any help is hugely appreciated, I do not really want to save passwords as true values but how would I get what the user typed back though?