Php adding remember me function

[mrtob]

hey guys i hope you can help me i trying to add the remember me function to my login script but it do not really work.
It creates the cookies for username and passsword and if i click logout it destroys the cookies succesfully.

Now come my error if i close the broswer and reopen the page i´m not logged in.

here are parts of code. i removed some validation and replaced sha1 with md5 (I know not good security )
user.php where all function are stored

function valid_credentials($username, $password) {
	
	$username = $username;
	$password = $password;
	
	$total = mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `username` = '$username' AND `password` = '$password'");
	
	return(mysql_result($total, 0) == '1') ? true : false;
}

init.php

<?php
session_start();
error_reporting(E_ALL);
//error_reporting(0);

require 'database/connect.php';
require 'functions/users.php';
require 'functions/general.php';


if(isset($_COOKIE['username'], $_COOKIE['password']) && isset($_SESSION['username']) === false) {
	if(valid_credentials($_COOKIE['username'], $_COOKIE['password'])) {
		
		$_SESSION['username'] = $_COOKIE['username'];
		
		setcookie('username', $_COOKIE['username'], time() + 604800);
		setcookie('password', md5($_COOKIE['password']), time() + 604800);
		
	}
}

$website		=	"localhost";
$firmenname		=	"firma";

$current_file = explode('/',$_SERVER['SCRIPT_NAME']);
$current_file = end($current_file);

if (logged_in() === true) {
	$session_user_id = $_SESSION['user_id'];

	$user_data = user_data($_SESSION['user_id'], 'user_id', 'username', 'password', 'first_name', 'last_name', 'email', 'password_recover', 'type', 'allow_email', 'profile', 'last_login', 'register_date');
	if (user_active($user_data['username']) === false) {
		session_destroy();
		header('Location: index.php');
		exit();
	}
	
	if ($current_file !== 'changepassword.php' && $current_file !== 'logout.php' && $user_data['password_recover'] == 1) {
		header('Location: changepassword.php?force');
		exit();
	}

}

$errors = array();
?>

login.php

<?php 
include 'core/init.php';
logged_in_redirect();

if(empty($_POST) === false) {
	$username	=	$_POST['username'];
	$password	=	$_POST['password'];

	if (empty($username) === true || empty($password) === true) {
		$errors[] = 'Sie müssen ein Benutzername und ein Passwort eingeben';
	} else if (user_exists($username) === false) {
		$errors[] = 'Wir können den Benutzer nicht finden. Haben Sie sich registriert?';
	} else if (user_active($username) === false) {
		$errors[] = 'Sie haben ihr account noch nicht aktiviert!';
	} else {
		
		if (strlen($password) > 32) {
			$errors[] = 'Passwort ist zu lang!';
		}
		
		$login = login($username, $password);
		if ($login === false) {
			$errors[] = 'Keine Übereinstimmung der eingebenen "E-Mail-Adresse" und/oder dem "Passwort".';
		} else {
				
			if(isset($_POST['set_cookie']) && $_POST['set_cookie'] == '1') {
				setcookie('username', $_POST['username'], time() + 604800);
				setcookie('password', md5($_POST['password']), time() + 604800);
			}

			$_SESSION['user_id'] = $login;
			
			header('Location: index.php');
			exit();
		}
	}
} else {
	$errors[] = 'Keine Daten erhalten';	
}
include 'includes/overall/header.php';
if (empty($errors) === false) {
?>
	<h2>Wir versuchten Sie anzumelden aber, ...</h2>
<?php
	echo output_errors($errors);
}

logout.php

<?php 
session_start();
include 'core/init.php';
session_destroy();

if(isset($_COOKIE['username'], $_COOKIE['password'])) {
	setcookie('username', '', time());
	setcookie('password', '', time());
}
header('Location: index.php');
?>

[FrederickGeek8]

I'm not really sure why the remember me function was ever part of Jaceks tutorial series; if anything I think it could be a potential security issue. What I think the intent was, was that the user would have the cookie, therefore staying logged in longer than using the standard issue $_SESSION.

If you really want the script to "Remember You", though it poses a security threat, remove

if(isset($_COOKIE['username'], $_COOKIE['password'])) {
        setcookie('username', '', time());
        setcookie('password', '', time());
}

from the logout page

Also storing the password, even if it is hashed, is incredibly unsafe. If you are going to store it, use the crypt function with SHA_512. It is a lot more secure (though a bit trickier to use)
With the crypt enabled the valid_credentials function would look something like this

function valid_credentials($username, $password) {
       
        $username = mysql_real_escape_string(htmlentities($username));
        $password = urlencode($password);
       
        $sql = "SELECT `password` FROM `users` WHERE `user_name` = '{$username}'";
        $sql = mysql_result($sql, 0);

        if(crypt($password, $sql) == $sql){
                return true;
        }else{
               return false;
        }
}

Also also, even if you do not want to use crypt, please, please, please, use mysql_real_escape_string and htmlentities to sanitize anything that goes into the database

[Helx]

Why are you saving the password in a cookie?
You shouldn't need to store the password once they're authenticated.

[ExtremeGaming]

Cookies are user editable. If you don't encode the username cookie somehow when setting it (of course able to decode as well) then accounts can be compromised.

[FrederickGeek8]

Tip: Stop using cookies and just extend the $_SESSION time