Remember Me

When you have a login form, one field that some people expect to see alongside the user name and password fields is a 'remember me' checkbox. They expect that if they check the box that the browser will remember their user name between sessions. Some may even expect that their password will be remembered as well.

Here we are going to look just at remembering the user name. The code to remember the password as well would just mean further minor modifications to the code but remembering the password using this approach would present a significant security hole not just for your site but also for any other site where the person uses the same password so we will only remember the user name using this code.

To start with we need some code to process the field from the form. When the checkbox is checked the following code will save a cookie containing the user name for approximately a year. If the checkbox is not checked and the cookie exists then it will be deleted.

<?php if($_POST['remember']) {
$year = time() + 31623000;
setcookie('remember_me', $username, $year);
} elseif(isset($_COOKIE['remember_me'])) {
$past = time() - 100;
setcookie('remember_me', '', $past);
} ?>

Note that each time they log in the cookie is updated so as to continue to be valid for a year if the remember_me field is passed and the cookie is deleted if the field is not passed.

The other change we need is to the login form. If the user name was saved then we need to load it into the field in the form. We also need to add the checkbox so that our users can decide whether they want the computer to remember their user name or not.

<?php $cookieval = (isset($_COOKIE['remember_me'])) ? $_COOKIE['remember_me'] : ''; ?>
<input type="text" name="username" value="<?php echo $cookieval; ?>">
<input type="checkbox" name="remember" id="remember" value="1"<?php if(isset($_COOKIE['remember_me'])) {echo ' checked="checked"';}
else {echo '';} ?>><label for="remember">Remember Me</label>

So those couple of simple pieces of code allow the browser to remember the user name so as to display it every time the person brings up the login screen. This means that they just need to enter their password to complete the login process.

Now you could simply set a second cookie to save the password as well. Alternatively you could save both in the one cookie by using a character that you don't expect to finding either the user name or password as a delimiter between the two. I do not recommend doing either of these as the result of this is to save the password in plain text in the cookie. If someone gets access to the computer and can find where the cookie is stored then they will have obtained the password and would be able to login as that user. In fact they wouldn't even need to do that. All they would need to do is to view the source of the page with the login form to see the password as plain text in the source.

If you need people to be able to have their computer remember them and allow them to login without having to type in their user name and password then I suggest that an entirely different approach be used. Instead of redisplaying the login screen with both fields already filled out we would set up the system to skip the login screen completely. Instead of remembering the user name and password we would have a randomly generated token being saved in the cookie and would also have that token stored in the database. People can then login either by entering their user name and password in the login form or by having the token read in from the cookie and matched to the token in the database to identify who it is that has logged in. for additional security the token would be regenerated each time that the person logs in. By storing additional information in the database that identifies the computer that the token cookie is saved on you can make it very difficult for someone to break in using a different computer even if they have been able to obtain the token from the cookie.


This article written by Stephen Chapman, Felgall Pty Ltd.

go to top

FaceBook Follow
Twitter Follow