How to implement login for 30 days or this session only?


#1

I want to let user be able to choose when they login, whether they want to be remembered for 30 days or for the session only. I a bit new to PHP programming

So far i have this:

HTML code:

[code]Remember me for:

30 Days This session only [/code]

auth.php class:

[php]function userloggedin($rr)
{
global $logged_in;
global $userid;
global $sessionid;
global $email;
global $password;
global $autologin;
global $firstname;
global $lastname;

$saltpassword = $password . "5138hyh8g0ghg3g5h";
$encpassword = hash('sha256', $saltpassword);
$logged_in = true;
$userid = $rr->userid;
$firstname = $rr->firstname;
$lastname = $rr->lastname;
setcookie("userid", $userid, time()+60*60*24*30);
setcookie("email", $email, time()+60*60*24*30);
setcookie("password", $password, time()+60*60*24*30);
setcookie("autologin", $autologin, time()+60*60*24*30);
setcookie("firstname", $firstname, time()+60*60*24*30);
setcookie("lastname", $lastname, time()+60*60*24*30);



header('Location: index.php');

}[/php]

Please help on how to accomplish this. Your help will be appreciated.


#2

You’ve not told us what isn’t working. I’ll assume your function works and that you want to be able to automatically choose whether it’s this session or 30 days:

[PHP]

<?php function userloggedin($rr) { global $logged_in; global $userid; global $sessionid; global $email; global $password; global $autologin; global $firstname; global $lastname; $saltpassword = $password . "5138hyh8g0ghg3g5h"; $encpassword = hash('sha256', $saltpassword); $logged_in = true; $userid = $rr->userid; $firstname = $rr->firstname; $lastname = $rr->lastname; setcookie("userid", $userid, time()+60*60*24*30); setcookie("email", $email, time()+60*60*24*30); setcookie("password", $password, time()+60*60*24*30); setcookie("autologin", $autologin, time()+60*60*24*30); setcookie("firstname", $firstname, time()+60*60*24*30); setcookie("lastname", $lastname, time()+60*60*24*30); header('Location: index.php'); } function singleSession($rr){ //Assign user id to session - other items not needed as you can pull //the user info separately based on a session check. I try to avoid //storing too much sensitive information in a session for security reasons $_SESSION['userid'] = $rr->userid; header('Location: index.php'); } [/PHP] You can then simply check which value the user selected when processing the login form: [PHP] //Check if form submitted if (isset($_POST['submit'])){ //Authenticate your user here //Check cookie length if ($_POST['checkcookielength'] == '30days'){ //Set your user array here userloggedin($rr); }else { //Set your user array here (only ID needed) singleSession($rr); } } [/PHP]

#3

The code that check’s whether the form is submitted i put it under login page right?


#4

Normally, if you are doing something within the login process, you have the code in that page.
For checking days, I use this line to check if a user has not updated their profile info within six months.
Seems to work very well for me so far…
[php]
// Check the last time they visited their profile page. If over six months then go to profile page.
if (is_null($row[“last_profile_update”]) OR ($row[“last_profile_update”]<=date(“Y-m-d H:i:s”, strtotime("-6 months")))) header(“Location: Profile.php”);
[/php]
What this does is first check to to see if the database holds a valid profile date, if not it switches to the
profile page for an update. Next it checks for the date being withing six months. If past this, it goes to
the page too. The code could be changed to check for a 30 day limit and should work well for your use…


#5

Storing the password in some cookie is absurd – just like abusing SHA-256 with a weird pseudo-salt to hash the passwords. If hope this is just a school project or something, not a real website?

Never store the plaintext password anywhere. Never. The password is extremely valuable and must be kept secret at all costs (I’m surprised that I even have to say this). Many people reuse the same password on multiple websites, so if you fail to protect it, this can have dramatic consequences beyond your own website.

I understand that you’re new to PHP, and I don’t mean to bash you. But when you store sensitive data of other people, you really need to understand the basics of security.

So before you do anything, fix your password hash algorithm. Use bcrypt with a sufficiently high cost factor (e. g. 14).

If you want to implement a remember-me function, use a completely separate(!), randomly generated identifier. The logic looks like this:

[ul][li]If the user has checked the “remember me” box, you use a secure random number generator to create a secret remember-me identifier. For example, [tt]bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM))[/tt] will return a sequence of 16 hexadecimally encoded random bytes.[/li]
[li]You store this identifier in a remember-me cookie. Then you hash it (SHA-256 is sufficient in this special case) and store the hash in a separate database table, together with the user ID and the current timestamp.[/li]
[li]On each page, you first check if there’s a standard PHP session. If there isn’t, you check if the user has provided a valid remember-me identifier. If that’s the case, you log the user in, just like you would do on the log-in page.[/li][/ul]

Note that remember-me features are inherently insecure and fairly hard to implement, so maybe you should forget about it for now and take care of the basic log-in logic first. You can still add this feature later.


#6

LOL, well, I agree with some of those comments, Pretty, but, what does that have to do with the topic?

An additional comment on his original code is that you never store anything in a cookie except time and
an index to point at the user. But, as you mentioned, in might just be a learning project for them…


#7

Did you actually read my reply? Or did you stop after the first sentence?

By the way, I wonder what your reply has to do with the topic, because it seems to describe just a very cumbersome way of comparing timestamps . And, no, you do not store the user ID or the timestamp in a cookie, because then everybody can extend the remember-me time forever or even take over the session of somebody else. You store a random identifier pointing to a remember-me session (you might want to read my reply again).

Yes, this could be a learning project. So?

[ul][li]It might as well not be a learning project. I remember a particular thread on this forum where everybody thought the code was just a bad joke. But then it turned out that it was going to be used a commercial application for 9000 users.[/li]
[li]Since when does learning equate to writing nonsensical code? When I learn something, I want to understand how to approach a particular problem. Isn’t that the whole point of learning?[/li][/ul]


#8

Well my Pretty, the topic is login’s and date issues. I did not see where you assisted the poster with that
topic. You can tear apart their code after the topic is handled.

Or, even better, create a tutorial here explaining how you feel security should be handled. As a moderator
here, I feel both of our posts are valid, but, we need to solve his question first and then divert them to the
other code problems. One step at a time…


#9

Dude. Can you not see that I explained the exact steps for implementing this feature in reply #4? Shall I repeat it just for you? There you go:

No, I will not write down the entire code, because I’m a strong believer in learning-by-doing. Why not give the OP the chance to implement this himself? If he struggles with any of the steps, I’ll happily help him.

By the way, this “Just-stick-to-the-question” stuff isn’t helpful. A good programmer should see the bigger picture. Sometimes there are more important issues than the original question, sometimes the initial approach to the problem is wrong, sometimes the problem itself is nonsensical. All of this happens, especially with inexperienced programmers who usually do not see the bigger picture.

So, no, I do not “tear apart code”. I solve problems, starting with the most critical ones. And I suggest you do the same.


#10

I totally agree - I would find it demotivating to constantly implement stuff that I had to rewrite afterwards because I was guided towards “just get it to work” instead of “let’s get this right”.