Can not keep user logged in with cookie or session

Question

I am having a bit of trouble. i am working on a small cms. When i login everything is fine. but if i sit there the session seems to require me to login again after 3 minutes maybe. so I tried to implement a remember me feature. and have no luck with it either. it also still require me to login.

in my functions I have the following code snip.

function logged_in(){

    if(isset($_SESSION['email']) || isset($_COOKIE['email'])){
        return true;
    } else {
        return false;
    }
}

Then i created another function that if the page requires login and your not logged in. it will redirect.

function require_loggin(){

    if (logged_in()) {} else {

        redirect(ROOT_URI);
    }
}

now on all the pages that require loggin i have this in the header of the page.

<?php require_loggin(); ?>

and this is my post data for the login page.

$email = clean($_POST['email']);
$password = clean($_POST['password']);
$remember   = isset($_POST['remember']);

and finally my login.

function login_user($email, $password, $remember){

        $active = 1;

        $connection = dbconnect();
        $stmt = $connection->prepare('SELECT user_pwd, user_email, uid, username FROM users WHERE user_email = ? AND active= ?');
        $stmt->bind_param('ss', $email, $active);
        $stmt->execute();
        $result = $stmt->get_result();

        if ($result->num_rows == 1) {
            $row = $result->fetch_array();
            $db_password = $row['user_pwd'];

            if (password_verify($password, $db_password)) {

                if($remember == "on") {
        setcookie('email', $email, time() + 86400);
        }

                $_SESSION['uid'] = $row['uid'];
                $_SESSION['email'] = $row['user_email'];           
                $_SESSION['username'] = $row['username'];

                return true;
            } else {
                return false;
            }
            return true;
        } else {
            return false;
   }
}

everything works with no error. login and logout are fine..

The issue is that once they login the default session dies in about a 4 minutes if they are not clicking links. and the remember me function wont work.. I read some where that a default session should last about 30 minutes. but the session requires login after 4 minutes of not moving through the site.

Someone mentioned to me about Garbage Collection but I have to admit I am totally lost on it.

I am still fairly new to php and I want to learn the correct way not the incorrect way. my project works great i just cannot keep a user logged in or get the remember me to function.

Answer 1

I recommend creating an application config file.. call it config.php and include it at the top of your pages. As simple as your application appears I'm assuming your not using an auto loader. Include the following snippit in it:

<?php
    /**
     * File: config.php
     * This file should be included in every php script to configure the session. Like this:
     * require_once('config.php');
     */

    /*
     * This is 30 minutes. The length only depends on the requirements of 
     * your application. 
     */
    $sessionLength = 30 * 60; 
    ini_set(’session.gc_maxlifetime’, $sessionLength);
    ini_set(‘session.gc_maxlifetime’,30);

    session_set_cookie_params($sessionLength , "/", "yourdomain.com")
    session_name('PHPSESSION'); 
    session_start(); 
    //This will force the cookie to reset with a new timeout on every page load.
    setcookie( session_name(), session_id(), time() + $sessionLength );

?>

Answer 2

Based on the latest edit of your question (9), and the codebin as it stands right now (please stop editing the question and code - create a new question if it changes that much!)

Your call to login_user($email, $password) does not pass the $remember variable as expected in the declaration

function login_user($email, $password, $remember)

So it'll never set the cookie.

Tips:

• when debugging, just type echo $remember . "<br>"; or echo "I'm Here<br>; or echo "I'm at " . __FILE__ . "/" . __LINE__ . "<br>"; or similar in your code at various points so you know where it's tracking. You'll see that it never gets to the "setcookie" line
• turn on ALL error reporting for debug/development purposes. error_reporting(E_ALL); and ini_set('display_errors', 'on'); as this will reveal your problem
• If you use a cookie, don't store something easily decodable (like a base64 string, as you are doing) but store reference to a "permanent session" you save on the server. Any hacker would instantly recognize a base64 string (see those equals sign(s) at the end? - base64 is the first thing that springs to mind). I could change one letter and log in as someone else using your code.
• There are some more tips about creating a good session system (i.e. if you're using cookies for "remember me", then you may as well not use the session_start() sessions and do it all yourself) but that then leads to suggestions you should use a library if you're not 100% sure of your logic and security - and given the base64_decode issue that's true. Hopefully your verify_password is not self-written but something commmercial? Perfect for learning but have someone check over the code before launching if you want it to go live.

Good luck

(And please, don't change the question again! No one will want to help you.)