First, just track if someone is logged in. After that we will take care of the function "remember me".
To find out someone is logged in, just look at the $_SESSION . Everything in it is because you put it there before. Thus, when processing the login form, if the username and password are correct, you save the username, user ID or something else in the session ( $_SESSION['username'] = $username; ).
Whenever a user loads a page, you just check
if (isset($_SESSION['username'])) { // $_SESSION['username'] is logged in } else { // nobody is logged in }
There is no need to store the password in $_SESSION (in fact, for security purposes, it is better not to store it anywhere except the hash in the database).
Now the function "remember me" ... Firstly, some considerations:
- Any user can change their browser cookies, so you need to be sure that the cookie sent to the application has not been changed.
- Users can check this on public computers (such as libraries), so you need a system to make this invalid.
- If the user exits the application, the cookie that remembers him / her must be deleted.
In the first case, imagine that in a cookie you save a username that will be "remembered" (VERY EXTERNAL!). This means that if any user creates a cookie for your web application with the content "joe", your application will think that the user joe will be remembered on this computer to provide access to this attacker as if he / she were Joe . So, we need to somehow glue / hash the cookie.
At the second point, the invalid "remember me" on some computers, we will use the password in some way. If a user wants to cancel all computers on which he may have checked the Remember Me checkbox, all he needs to do is change his password. It also means that if he / she changes his password, all saved logins for his account will be invalidated for the same reason. But better safe than sorry ...
So, when you process the login, and the username and password are correct, and the "rememeber me" option is checked, in addition to saving the username in the session, you store the hash of the username and password (and some salt, if you want) in the cookie that you send to the user. You also need to save the username in a cookie in text form (or encrypted in a reversible form) to find out which user is trying to "log in" through the cookie, and check the hash of the username and password in the cookie with the hash of the username and password in the database . If this check is correct, then you save the username in the session and no longer check the cookie of this user (at least for this session).
So, in general, your code might look like this:
login.php
if (check_login($_POST['username'], $_POST['password'])) { // login correct $_SESSION['username'] = $_POST['username']; if (isset($_POST['remember_me'])) { // we hash the password because we **NEVER** store it in plain text anywhere // so when we would like to check if the cookie value is correct, we will not // be able to do so if the hash in the cookie was done from the plaintext // password. $value = sprintf('%s:%s', $_POST['username'], md5($_POST['username'].hash_password($_POST['password']))); setcookie('rememberme', $value); } redirect('/your/home/page.php'); // view Post/Redirect/Get design pattern } else { // login incorrect, show error message and whatever... }
at the beginning of each php file (or, better, in the included file to load your application)
if (isset($_SESSION['username'])) { // $_SESSION['username'] is logged in, proceed as you wish } else if (isset($_COOKIE['rememberme'])) { // this user has checked the remember me feature some time ago in a previous login. // let check if it is valid. list($username, $hash) = explode(':', $_COOKIE['rememberme']); // we need to get the password hash stored for this user (remember you **NEVER** store passwords in plain text $pwd_hash = obtain_password_hash_from_username($username); if ($hash == sprintf('%s:%s', $username, md5($username.$pwd_hash))) { // yeah, the user remembered is correct. We'll save it to the session to not do this shit again $_SESSION['username'] = $username; } else { // the cookie value is not correct so maybe an attacker is trying to fool us, // or the user changed his password. Whatever it is, we remove the cookie // because it no longer valid setcookie('rememberme', '', time() - 3600); } } else { // this user is neither logged in nor "remembered" }
The user hash password method is up to you. You might like the simple md5 or sha, the salty md5 or sha (better), or some tedious method like blowfish (recommended). I used the simple md5 for the cookie hash, but you can choose any of the methods described earlier.
I think that's all.