How to implement an option of giving the users to select before they login, whether the want to login for 30 days or for the session only?

Question

0.00/5 (No votes)

See more:

I want to let user be able to choose when they login, whether they want to be remembered for 30 days or for the session only. I a bit new to PHP programming

So far i have this:

HTML code:

HTML

<label>Remember me for:</label>
 <select name="checkcookielength" id="checkcookielength">
 <option value="30days">30 Days</option>							 
    <option value="currentSission">This session only</option>				
 </select>

my auth.php:

PHP

function userloggedin($rr)
{
  

global $logged_in;  
global $userid;
global $sessionid;
global $email;
global $password;
$saltpassword = $password . "5138hyh8g0ghg3h";
$encpassword = hash('sha256', $saltpassword

$logged_in = true;
$userid = $rr->userid;
setcookie("userid", $userid, time()+60*60*24*30);
setcookie("email", $email, time()+60*60*24*30);
setcookie("password", $password, time()+60*60*24*30);

header('Location: index.php');
 }

Please help on how to accomplish this. Your help will be appreciated.

Posted 18-Nov-15 23:55pm

iDoKin

Updated 19-Nov-15 0:07am

v4

Add a Solution

Comments

Richard Deeming 19-Nov-15 8:59am

You're storing the username and password in cookies. That's an EXTREMELY insecure approach.

Cookie values are sent as headers with every single request to your site. Since you don't seem to be marking the cookies as "Secure", if there is a single request to your site over HTTP rather than HTTPS, then those cookies can be read by anyone on the network.

Since you don't seem to be marking the cookies as "HTTP-only", they can be read from script. If you have a single XSS vulnerability on your site, it can be exploited to steal the user's credentials.

Any log files or analytics logs are likely to include the cookie values as well, providing yet another avenue for your users' credentials to be stolen.

Have a read of these articles from Troy Hunt - they're using ASP.NET, but the principals are common to all web applications:
How to build (and how not to build) a secure “remember me” feature[^]
C is for cookie, H is for hacker – understanding HTTP only and Secure cookies[^]

Sergey Alexandrovich Kryukov 19-Nov-15 12:25pm

I think you are absolutely right. Any option except "session only" would be just insane.

Note that the user can always use the browser's "remember me" feature, which is 1) much safer because it does not store anything except the local computer's browser data, 2) has full control on what's going on and can use her/his own judgement on the safety of this decision (say, public computer vs well-protected personal one).

Your comment would make a really nice formal answer.

(As a matter of fact, it looks like few days ago one of our "high-reputation" members started to down-vote anonymously all the advice based on just opinions (such as "don't do it"), on daily basis; well, this is the only pattern I was able to spot. It would be nothing wrong with such down-voting, if not the criteria. But I hope you can ignore this as I do. And your opinion is well motivated. :-)

—SA

iDoKin 20-Nov-15 9:15am

Thanks I will take a look at it, and improve my security.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2015-11-19T07:08:00

As I mentioned in the comments, storing the username and password in a cookie is an EXTREMELY bad idea. This will result in the users' credentials being stolen, and you could end up facing hefty fines for not securing your data properly.

You might be thinking that it's not a big deal if hackers manage to break into your site, since you're not doing anything particularly sensitive. But remember, a lot of users re-use the same password on multiple sites. The password that gets stolen from your site could very easily give the hacker access to the user's email, Facebook, or on-line banking accounts as well.

Troy Hunt has written many useful articles on this subject. They tend to focus on ASP.NET, but the principals apply to any web application. Two examples which apply here are:
How to build (and how not to build) a secure “remember me” feature[^]
C is for cookie, H is for hacker – understanding HTTP only and Secure cookies[^]

Since you're new to PHP programming, it would be better to use a pre-built framework to handle the security, leaving you free to concentrate on building the interesting bits of your site. A quick Google search brings up this open-source library[^], which seems to tick all of the right boxes.