I use a simple login system based on SESSION vars. Once the user logs in, a session var is set that tells my script the user is to be accepted in. I don't use any custom clientside cookie var.
I would like to offer the option on the login screen that says "keep me loggued in the whole day". How does one do that in a secure way?
Hence the user can log in without having to enter the Username and Password again until the life of that cookie expires. The example code given below is the way how to remember password checkbox works through PHP. $name = mysqli_real_escape_string( $connect , $_POST [ "user_name" ]);
Create a login form that has two input elements for entering username and password, a submit button, and a checkbox for Remember me. encryptCookie() – This function takes a single parameter. Generate random key and assign to $key.
Once your security device or digital security app is activated, each time you log in to Client Portal, TWS or IBKR Mobile, you will be required to enter two authentication factors – your username and password combination and the security code generated by your device.
First: Configure the session.cookie_lifetime
directive, either in php.ini, configuration files, or via session_set_cookie_params()
.
Next, store the username and the hash value of the password in the session, and validate that login on every page. As long as it's still valid, they get to stay logged in.
The session cookie's natural expiration should generally keep things tidy, as you won't have anyone getting logged out in the middle of their session (if the stars aligned for it, of course) if they keep it active. Failing that, though, I'd consider eCartoth's solution a close second, as you could just add a second line to the if statement:
if (my_validate_user_function($_SESSION['username'],$_SESSION['passhash'])
&& $_SESSION['deathstamp'] > time()
) {
// user is logged in again, oh boy!
}
else {
// send in the death robots
header('Location: /login.php',true,302);
}
EDIT: One thing you might want to consider is session fixation and/or session hijacking. In order to prevent that, I'd recommend one (or both) of two solutions:
session_regenerate_id()
after every successful login attempt.If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With