PHP Autologin function to login script

Question

PHP Autologin function to login script

How would I introduce an autologue function for this script?

session_start(); $result = mysql_query("SELECT id FROM users WHERE username = '{$_POST['username']}' AND password = '{$_POST['password']}'"); if (isset($_POST['savelogin'])) { setcookie("SaveLogin", $_POST['username'], time()+3600); setcookie("SaveLogin", $_POST['password'], time()+3600); } if (mysql_num_rows($result) == 0) { exit('wrong username/password'); } else { $_SESSION['id'] = mysql_result($result, 0, 'id'); header("Location: ./"); } <form method="post"> Username: <input type="text" name="username" size="22" /><br> Password: <input type="password" name="password" size="22" /><br> <br> Autologin? <input type="checkbox" name="savelogin" /> <input type="submit" value="Login" /> </form>

This is how far I got. Save username and password. But how do I do this to auto-login?

+4

php cookies

Tom Sep 05 '09 at 2:45

source share

3 answers

Dooltaz · Answer 1 · 2009-09-05T03:03:54+0000

First of all, you do not want to save your username and password in a cookie. It is a bad idea.

A simple method of thinking can be:

1) Create a new field in the user table in which the MD5 hash is stored. You can call it session_key.
2) When you submit the page, the script should do the following.

Confirm username and password
If this is a good username and password pair, check the saveLogin variable
If the saveLogin variable is set, generate md5 and save it in the database. Also save this md5 in a cookie. Make sure the database table also has a field for the expiration of the cookie.
Create the necessary session data.
Redirect to. /

3) On the ./ page, do the following:

Check if the session exists. If so, draw the page.
If the session does not exist, check the cookie.
If a cookie exists, look for this session identifier in the database and verify that it has not expired. then create a session and render the page.

This should make your application more secure. This may not be the best way to code, but concepts should give you an idea of how to make a fairly secure login page.

zombat · Answer 2 · 2009-09-05T03:06:50+0000

This is a very unsafe automatic login method. You should never store your password anywhere in clear text.

The best strategy is as follows:

Submit a regular sign-up form with a checkbox for "automatic login".
- If the automatic login checkbox is selected, you usually verify your username and password. If this is successful, you can set a special cookie for automatic login.
- Give the special cookie a name such as "autologin", and the value that contains their username, and the salty md5 hash of their user data. Something like "user = username & hash = 123456xyz.etc".
- The next time you see the user and want to automatically log in, you check this special cookie and check its contents. Separate the username and hash, then retrieve the account from the database based on the username and try md5 again to compare with the hash of the cookie. If it is valid, you can register them (i.e. start a new session).

Anthony · Answer 3 · 2009-09-05T04:16:27+0000

You should take your username, IP address and some hash (as the zombat suggested), encrypt it all (possibly using Base64) and save the resulting string as your cookie. Thus, someone cannot cheat or steal a cookie, because even if they did, the decrypted IP address would not match the IP address from which the request came. It is also better to use whitelists instead of dropping user input into the request.

So you get something like:

 //First see if the auto-login cookie exists and is valid: if($_COOKIE['autologin']) { $users_query = "SELECT username FROM users WHERE last_login < SUBDATE(CURDATE(),30)"; $users_results = mysql_query($users_query); while($row = mysql_fetch_assoc($users_result)) { $users = $row['username']; } $auto_cookie = $_COOKIE['autologin']; $user_creds = explode("//", base64_decode($auto_cookie)); $user_name = $user_creds[0]; $user_IP = $user_creds[1]; $user_hash = $user_creds[2]; $username_check = (in_array($user_name, $users) ? true : false; $userIP_check = ($user_IP = $_SERVER['REMOTE_ADDR']) ? true :false; $so_far_so_good = ($username_check && $userIP_check) ? true : false; if($so_far_so_good) { $hash_query = "SELECT hash FROM userhash WHERE username = '$user_name'"; $hash_results = mysql_query($hash_query); $all_clear = ($user_hash == mysql_result($hash_results,0)) ? true : false; } } //Checks Login Data: if($_POST) { $users_query = "SELECT username FROM users"; $users_results = mysql_query($users_query); while($row = mysql_fetch_assoc($users_result)) { $users = $row['username']; } $username_check = (in_array($user_name, $users) ? true : false; $password_check = password_check(); // I do not feel comfortable enough with encryption and authentication to suggest // a method here. Suffice to say, you should have a strong password check system. $all_clear = ($username_check && $password_check) ? true : false; // You should only throw a log in error when they have attempted a login. Do not // give hints at your authentication methods in auto-login section. $set_cookie = ($all_clear && $_POST['set-auto']) ? true : false; if($set_cookie) { $new_hash = hash_maker(); // Again, look to the others for best hashing technique. $raw_cookie_data = $user_name . "//" . $_SERVER['REMOTE_ADDR'] . "//" . $new_hash; $enc_cookie_data = base64_encode($raw_cookie_data); setcookie("autologin", $enc_cookie_data, time()+3600); } } if($all_clear) { echo "Welcome Back!"; } else { //print login form here... }

PHP Autologin function to login script

More articles: