Php adding remember me function

[mrtob]

hey guys i hope you can help me i trying to add the remember me function to my login script but it do not really work.
It creates the cookies for username and passsword and if i click logout it destroys the cookies succesfully.

Now come my error if i close the broswer and reopen the page i´m not logged in.

here are parts of code. i removed some validation and replaced sha1 with md5 (I know not good security )
user.php where all function are stored
[syntax=php]
function valid_credentials($username, $password) {

$username = $username;
$password = $password;

$total = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'");

return(mysql_result($total, 0) == '1') ? true : false;
}
[/syntax]

init.php
[syntax=php]
<?php
session_start();
error_reporting(E_ALL);
//error_reporting(0);

require 'database/connect.php';
require 'functions/users.php';
require 'functions/general.php';


if(isset($_COOKIE['username'], $_COOKIE['password']) && isset($_SESSION['username']) === false) {
if(valid_credentials($_COOKIE['username'], $_COOKIE['password'])) {

$_SESSION['username'] = $_COOKIE['username'];

setcookie('username', $_COOKIE['username'], time() + 604800);
setcookie('password', md5($_COOKIE['password']), time() + 604800);

}
}

$website = "localhost";
$firmenname = "firma";

$current_file = explode('/',$_SERVER['SCRIPT_NAME']);
$current_file = end($current_file);

if (logged_in() === true) {
$session_user_id = $_SESSION['user_id'];

$user_data = user_data($_SESSION['user_id'], 'user_id', 'username', 'password', 'first_name', 'last_name', 'email', 'password_recover', 'type', 'allow_email', 'profile', 'last_login', 'register_date');
if (user_active($user_data['username']) === false) {
session_destroy();
header('Location: index.php');
exit();
}

if ($current_file !== 'changepassword.php' && $current_file !== 'logout.php' && $user_data['password_recover'] == 1) {
header('Location: changepassword.php?force');
exit();
}

}

$errors = array();
?>
[/syntax]

login.php
[syntax=php]
<?php
include 'core/init.php';
logged_in_redirect();

if(empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];

if (empty($username) === true || empty($password) === true) {
$errors[] = 'Sie müssen ein Benutzername und ein Passwort eingeben';
} else if (user_exists($username) === false) {
$errors[] = 'Wir können den Benutzer nicht finden. Haben Sie sich registriert?';
} else if (user_active($username) === false) {
$errors[] = 'Sie haben ihr account noch nicht aktiviert!';
} else {

if (strlen($password) > 32) {
$errors[] = 'Passwort ist zu lang!';
}

$login = login($username, $password);
if ($login === false) {
$errors[] = 'Keine Übereinstimmung der eingebenen "E-Mail-Adresse" und/oder dem "Passwort".';
} else {

if(isset($_POST['set_cookie']) && $_POST['set_cookie'] == '1') {
setcookie('username', $_POST['username'], time() + 604800);
setcookie('password', md5($_POST['password']), time() + 604800);
}

$_SESSION['user_id'] = $login;

header('Location: index.php');
exit();
}
}
} else {
$errors[] = 'Keine Daten erhalten';
}
include 'includes/overall/header.php';
if (empty($errors) === false) {
?>
<h2>Wir versuchten Sie anzumelden aber, ...</h2>
<?php
echo output_errors($errors);
}

[/syntax]

logout.php
[syntax=php]
<?php
session_start();
include 'core/init.php';
session_destroy();

if(isset($_COOKIE['username'], $_COOKIE['password'])) {
setcookie('username', '', time());
setcookie('password', '', time());
}
header('Location: index.php');
?>
[/syntax]

[FrederickGeek8]

I'm not really sure why the remember me function was ever part of Jaceks tutorial series; if anything I think it could be a potential security issue. What I think the intent was, was that the user would have the cookie, therefore staying logged in longer than using the standard issue $_SESSION.

If you really want the script to "Remember You", though it poses a security threat, remove
[syntax=php]if(isset($_COOKIE['username'], $_COOKIE['password'])) {
setcookie('username', '', time());
setcookie('password', '', time());
}[/syntax]
from the logout page

Also storing the password, even if it is hashed, is incredibly unsafe. If you are going to store it, use the crypt function with SHA_512. It is a lot more secure (though a bit trickier to use)
With the crypt enabled the valid_credentials function would look something like this
[syntax=php]function valid_credentials($username, $password) {

$username = mysql_real_escape_string(htmlentities($username));
$password = urlencode($password);

$sql = "SELECT `password` FROM `users` WHERE `user_name` = '{$username}'";
$sql = mysql_result($sql, 0);

if(crypt($password, $sql) == $sql){
return true;
}else{
return false;
}
}[/syntax]

Also also, even if you do not want to use crypt, please, please, please, use mysql_real_escape_string and htmlentities to sanitize anything that goes into the database

[Helx]

Why are you saving the password in a cookie?
You shouldn't need to store the password once they're authenticated.

[ExtremeGaming]

Cookies are user editable. If you don't encode the username cookie somehow when setting it (of course able to decode as well) then accounts can be compromised.

[FrederickGeek8]

Tip: Stop using cookies and just extend the $_SESSION time