Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

how to create a secure php login system, allowing for "keep me logged in" functionality?

Tags:

php

remember-me

login

login-script

I use a simple login system based on SESSION vars. Once the user logs in, a session var is set that tells my script the user is to be accepted in. I don't use any custom clientside cookie var.

I would like to offer the option on the login screen that says "keep me loggued in the whole day". How does one do that in a secure way?

like image 855
pixeline Avatar asked Dec 18 '09 16:12

pixeline

People also ask

How do I make PHP Keep me logged in?

Hence the user can log in without having to enter the Username and Password again until the life of that cookie expires. The example code given below is the way how to remember password checkbox works through PHP. $name = mysqli_real_escape_string( $connect , $_POST [ "user_name" ]);

How do I add remember me to my login page?

Create a login form that has two input elements for entering username and password, a submit button, and a checkbox for Remember me. encryptCookie() – This function takes a single parameter. Generate random key and assign to $key.

What is secure login system?

Once your security device or digital security app is activated, each time you log in to Client Portal, TWS or IBKR Mobile, you will be required to enter two authentication factors – your username and password combination and the security code generated by your device.

1 Answers

First: Configure the session.cookie_lifetime directive, either in php.ini, configuration files, or via session_set_cookie_params().

Next, store the username and the hash value of the password in the session, and validate that login on every page. As long as it's still valid, they get to stay logged in.

The session cookie's natural expiration should generally keep things tidy, as you won't have anyone getting logged out in the middle of their session (if the stars aligned for it, of course) if they keep it active. Failing that, though, I'd consider eCartoth's solution a close second, as you could just add a second line to the if statement:

if (my_validate_user_function($_SESSION['username'],$_SESSION['passhash']) 
    && $_SESSION['deathstamp'] > time()
) {
    // user is logged in again, oh boy!
}
else {
    // send in the death robots
    header('Location: /login.php',true,302);
}

EDIT: One thing you might want to consider is session fixation and/or session hijacking. In order to prevent that, I'd recommend one (or both) of two solutions:

  1. store the user's IP address in the session
  2. use session_regenerate_id() after every successful login attempt.
like image 92
Dereleased Avatar answered Oct 04 '22 19:10

Dereleased
Sign in to Comment

Related questions

Hooking After Validation but Before Order Create in Woocommerce Checkout
Is there a shortcode for product description in WooCommerce
Adjusting product image's Zoom magnification factor in woocommerce 3
How to deploy lumen framework on shared hosting (subdomain)
Call to undefined method Illuminate\Database\Eloquent\Builder::save()
laravel new; application already exists error
GOTO command in PHP?
Fastest way to determine image resolution and file type in PHP or Unix command line?
Creating two pdf pages with Imagick
Qcodo vs. CakePHP vs. Zend [closed]
Can I write my own mySQL functions to use in mySQL queries?
How do I get link to an image on wikipedia from the infobox?
PHP, URL rewriting with htaccess, and Microsoft IIS Url Rewriting
Logging Caught and Uncaught Exceptions?
PHP showing output of foreach to screen, for each item
Can't enter date into postgres field with datatype timestamp
Minify CSS using preg_replace
Encoding problem (UTF-8) in PHP
Comparing two identical strings returns false in PHP
PHP equivalent of UNIX_TIMESTAMP() of MySQL?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!