hey guys i hope you can help me i trying to add the remember me function to my login script but it do not really work.
It creates the cookies for username and passsword and if i click logout it destroys the cookies succesfully.
Now come my error if i close the broswer and reopen the page i´m not logged in.
here are parts of code. i removed some validation and replaced sha1 with md5 (I know not good security )
user.php where all function are stored
[syntax=php]
function valid_credentials($username, $password) {
$username = $username;
$password = $password;
$total = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'");
return(mysql_result($total, 0) == '1') ? true : false;
}
[/syntax]
init.php
[syntax=php]
<?php
session_start();
error_reporting(E_ALL);
//error_reporting(0);
require 'database/connect.php';
require 'functions/users.php';
require 'functions/general.php';
if(isset($_COOKIE['username'], $_COOKIE['password']) && isset($_SESSION['username']) === false) {
if(valid_credentials($_COOKIE['username'], $_COOKIE['password'])) {
$_SESSION['username'] = $_COOKIE['username'];
setcookie('username', $_COOKIE['username'], time() + 604800);
setcookie('password', md5($_COOKIE['password']), time() + 604800);
}
}
$website = "localhost";
$firmenname = "firma";
$current_file = explode('/',$_SERVER['SCRIPT_NAME']);
$current_file = end($current_file);
if (logged_in() === true) {
$session_user_id = $_SESSION['user_id'];
$user_data = user_data($_SESSION['user_id'], 'user_id', 'username', 'password', 'first_name', 'last_name', 'email', 'password_recover', 'type', 'allow_email', 'profile', 'last_login', 'register_date');
if (user_active($user_data['username']) === false) {
session_destroy();
header('Location: index.php');
exit();
}
if ($current_file !== 'changepassword.php' && $current_file !== 'logout.php' && $user_data['password_recover'] == 1) {
header('Location: changepassword.php?force');
exit();
}
}
$errors = array();
?>
[/syntax]
login.php
[syntax=php]
<?php
include 'core/init.php';
logged_in_redirect();
if(empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];
if (empty($username) === true || empty($password) === true) {
$errors[] = 'Sie müssen ein Benutzername und ein Passwort eingeben';
} else if (user_exists($username) === false) {
$errors[] = 'Wir können den Benutzer nicht finden. Haben Sie sich registriert?';
} else if (user_active($username) === false) {
$errors[] = 'Sie haben ihr account noch nicht aktiviert!';
} else {
if (strlen($password) > 32) {
$errors[] = 'Passwort ist zu lang!';
}
$login = login($username, $password);
if ($login === false) {
$errors[] = 'Keine Übereinstimmung der eingebenen "E-Mail-Adresse" und/oder dem "Passwort".';
} else {
if(isset($_POST['set_cookie']) && $_POST['set_cookie'] == '1') {
setcookie('username', $_POST['username'], time() + 604800);
setcookie('password', md5($_POST['password']), time() + 604800);
}
$_SESSION['user_id'] = $login;
header('Location: index.php');
exit();
}
}
} else {
$errors[] = 'Keine Daten erhalten';
}
include 'includes/overall/header.php';
if (empty($errors) === false) {
?>
<h2>Wir versuchten Sie anzumelden aber, ...</h2>
<?php
echo output_errors($errors);
}
[/syntax]
logout.php
[syntax=php]
<?php
session_start();
include 'core/init.php';
session_destroy();
if(isset($_COOKIE['username'], $_COOKIE['password'])) {
setcookie('username', '', time());
setcookie('password', '', time());
}
header('Location: index.php');
?>
[/syntax]
Php adding remember me function
- FrederickGeek8
- Posts: 148
- Joined: Wed Nov 30, 2011 10:31 pm
Re: Php adding remember me function
I'm not really sure why the remember me function was ever part of Jaceks tutorial series; if anything I think it could be a potential security issue. What I think the intent was, was that the user would have the cookie, therefore staying logged in longer than using the standard issue $_SESSION.
If you really want the script to "Remember You", though it poses a security threat, remove
[syntax=php]if(isset($_COOKIE['username'], $_COOKIE['password'])) {
setcookie('username', '', time());
setcookie('password', '', time());
}[/syntax]
from the logout page
Also storing the password, even if it is hashed, is incredibly unsafe. If you are going to store it, use the crypt function with SHA_512. It is a lot more secure (though a bit trickier to use)
With the crypt enabled the valid_credentials function would look something like this
[syntax=php]function valid_credentials($username, $password) {
$username = mysql_real_escape_string(htmlentities($username));
$password = urlencode($password);
$sql = "SELECT `password` FROM `users` WHERE `user_name` = '{$username}'";
$sql = mysql_result($sql, 0);
if(crypt($password, $sql) == $sql){
return true;
}else{
return false;
}
}[/syntax]
Also also, even if you do not want to use crypt, please, please, please, use mysql_real_escape_string and htmlentities to sanitize anything that goes into the database
If you really want the script to "Remember You", though it poses a security threat, remove
[syntax=php]if(isset($_COOKIE['username'], $_COOKIE['password'])) {
setcookie('username', '', time());
setcookie('password', '', time());
}[/syntax]
from the logout page
Also storing the password, even if it is hashed, is incredibly unsafe. If you are going to store it, use the crypt function with SHA_512. It is a lot more secure (though a bit trickier to use)
With the crypt enabled the valid_credentials function would look something like this
[syntax=php]function valid_credentials($username, $password) {
$username = mysql_real_escape_string(htmlentities($username));
$password = urlencode($password);
$sql = "SELECT `password` FROM `users` WHERE `user_name` = '{$username}'";
$sql = mysql_result($sql, 0);
if(crypt($password, $sql) == $sql){
return true;
}else{
return false;
}
}[/syntax]
Also also, even if you do not want to use crypt, please, please, please, use mysql_real_escape_string and htmlentities to sanitize anything that goes into the database
Re: Php adding remember me function
Why are you saving the password in a cookie?
You shouldn't need to store the password once they're authenticated.
You shouldn't need to store the password once they're authenticated.
-
- Posts: 205
- Joined: Mon Jul 09, 2012 11:13 pm
Re: Php adding remember me function
Cookies are user editable. If you don't encode the username cookie somehow when setting it (of course able to decode as well) then accounts can be compromised.
<?php while(!$succeed = try()); ?>
- FrederickGeek8
- Posts: 148
- Joined: Wed Nov 30, 2011 10:31 pm
Re: Php adding remember me function
Tip: Stop using cookies and just extend the $_SESSION time