By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,278 Members | 1,329 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,278 IT Pros & Developers. It's quick & easy.

Remember me PHP script

P: 24
Hi guys,

I have created a login system where user can enter their username and password which when validated will take user to new page with his or her name displayed on the screen, now I want to create a "Remember me" feature in my login screen so that when user select remember me it will remember user name everytime he or she opens the browser and remained logged in until they click on logout. I know it can be accomplished by using Session and Cookies but I have no idea how and where should I use them in my code. Here is my code for your reference:

Login.php

Expand|Select|Wrap|Line Numbers
  1. <?php
  2. session_start();
  3.  
  4.     if (isset($_POST['submit'])){
  5.       include 'form-validation.php';
  6.     include 'connect.php';
  7.  
  8.     $Name=addslashes($_POST['Name']);
  9.     $Username=addslashes($_POST['Username']);
  10.     $Password=md5($_POST['Password']);
  11.  
  12.     $result = form_validation_validate($_POST, "
  13.       Username Password : empty;
  14.       Username Password : len >= 3;
  15.       Username Password : chnum_; ");
  16. ?>
  17.  
  18.   <tr>
  19.   <td colspan="2">
  20.  
  21.   <?php
  22.  
  23.     if ($result === true){
  24.       $query = mysql_query("SELECT id FROM `login_tbl` WHERE `Username` = '$Username' AND `Password` = '$Password'"); 
  25.        list($user_id) = mysql_fetch_row($query); 
  26.  
  27.     if(empty($user_id)){
  28.     echo '<span style="color: #A71930"> No such login in the system. Please try again</span>'; 
  29.     }
  30.  
  31.     else{
  32.     $_SESSION['user_id'] = $user_id;
  33.     header('location: loginsucess.php');
  34.     $_POST = Array();
  35.     }
  36.   }
  37.   else echo '<span style="color: #A71930">' . $result . '</span>';
  38.   }
  39.   ?>
  40.   </td></tr>
  41.     <tr>
  42.       <td style="padding-bottom: 10px;" colspan="2" class="heading1"><b>Login Required</b></td>
  43.     </tr>
  44.     <tr>
  45.       <td height="30">Username:</td>
  46.       <td><input type="text" name="Username" style="width:15em;" value="<?php echo $_POST['Username']; ?>">
  47.       </td>
  48.     </tr>
  49.     <tr>
  50.       <td height="30">Password:</td>
  51.       <td><input type="password" name="Password" style="width:15em;" value="<?php echo $_POST['Password'];?>">
  52.       </td>
  53.     </tr>
  54.     <tr><td>&nbsp;</td>
  55.     <td><input name="submit" type="submit" value="Log-in" class="submit">
  56.     <input type="checkbox" name="remember" /><span style="color:#006f99;">Remember me</span><br /><br />
  57.       <a href="register.php">Register</a>  | <a href="resetpassword.php">Forgot your password?</a></td>
  58.     </tr></table></form>
  59.  
Loginsucess.php

Expand|Select|Wrap|Line Numbers
  1.  
  2. <?php
  3.     session_start(); 
  4.  
  5.     include_once 'connect.php';
  6.  
  7.     if(isset($_SESSION['user_id'])) {
  8.  
  9.     $query = mysql_query("SELECT Name FROM login_tbl
  10.                    WHERE ID = " . $_SESSION['user_id'] . " LIMIT 1")
  11.                    or die(mysql_error());
  12.  
  13.     list($Name) = mysql_fetch_row($query);
  14.  
  15.     echo '<span class="username">Hello, '. $Name  . '! <a href="logout.php" style="color:#FFFFFF">( Logout )</a></span>';
  16.  
  17. } else {
  18.  
  19.     echo 'Please login before opening the user panel.';
  20. }
  21. ?>
  22.  
Please help me with this...I found couple of scripts on net but to use them I have to make lot of changes to my script and I would prefer if someone can please update my existing script.Thanks guys and also letting you know that I am using PHP Version 5.2.3.
Sep 4 '08 #1
Share this Question
Share on Google+
13 Replies


P: 24
Hi Guys,

Please help me. I am stuck with this problem.

Waiting for you guys to help me out.

Thanks
Sep 5 '08 #2

100+
P: 258
Hi
Here is what you have to do.
When a user logs in you put a session on the server which shows that the user is loged in. At the same time you can check if the user wants you to remember him/her then encrypt the username and password by MD5 function and put them on a cookie with a long lifetime.
What you need to do to remember the user is to check on each page if the cookie containing username and password exists or not then you don't have to ask for them again.

the reason i'm saying that you have to use MD5 function is because people can view information inside cookies, so it wont be secure to put them in a cookie without encryption

Hope this helps

Good luck
Sep 5 '08 #3

Atli
Expert 5K+
P: 5,058
Hi.

Yes, that is the general idea. Put a unique identifier into a cookie, which you can use to re-open a session without having to ask for the login info again.

What I usually do is create a hash out of several pieces of data, like say the user's name, password and the IP he is connecting from, and put that into a cookie, along with the user ID.
Then, when he comes back, you can re-create that hash and compare the new one with the one in the cookie. If they match, you can log him in again without asking for the login info.
Note that using the IP also protects (up to a point) against cookie hijacking.

I would advise using a hashing algorithm stronger than MD5 tho. It's old and relatively easy to hack. Using something like SHA1 or even one of the stronger variants of SHA is far more secure.
(Check out SHA1 and hash)
Sep 5 '08 #4

100+
P: 258
Hi atli and thanks for sharing your ideas.I thought MD5 is the strongest encryption method because it's a one way encrymping function.

But anyway I just wanted to mention that putting passwords in database without encrypting it is NOT safe. I know it's not possible for users to reach information in our database but the reason is that there are some hacking ways to log in with a fake password. I think it's called for (Database Injection).

Here is one good example I could come up with.

Lets say you check your MYSQL database like this.

Expand|Select|Wrap|Line Numbers
  1. SELECT * FROM users WHERE username='$username' AND password='$password'
  2.  
Think what happens if the user put's something like this in the password text box:
' OR password='%

then the query will be like this :
Expand|Select|Wrap|Line Numbers
  1. SELECT * FROM users WHERE username='$username' AND password='$password' OR password='%'
  2.  
Sorry if this example does not work properly but this is how hackers use database injection.

BUT if we encrypt passwords before putting it in the database then there will be no way to use a fake password because the variable will also be encrypted before putting in the query.

One other thing I wanted to ask you. You said it's possible to hack a MD5 encryption. Do you know how? I'm really interested because I thought it's a one way function


Thanks again

Behzad
Sep 5 '08 #5

Atli
Expert 5K+
P: 5,058
MD5 is technically not an encryption algorithm. It is a hashing algorithm.
The difference is that encryption usually allows for decryption, while hashing is non-reversible.

SHA1 (and the other SHA variants), as well as several other hashing algorithms, were developed *after* MD5 using more refined methods and longer output strings. (MD5 is 128bits, SHA1 is 160bits... Other variants are even longer.)
But they are all non-reversible, just like MD5.

There is no way to "decrypt" a hash, but using a brute-force attack you can attempt to *guess* the string used. I am not saying this is easy or quick, but relative to SHA1, MD5 is far more likely to be broken by this sort of an attack.

There is also the fact that because of how popular and widely used MD5 is, there exist huge databases that store MD5 hashes for millions of much used and randomly generated strings that can be consulted to find the input for a given hash. So breaking the hash may not even be needed.

As to the SQL Injection problem.
Hashing passwords does help up to an extent, but that doesn't necessarily mean your queries are safe from it.

You should ALWAYS sanitize user input before using it. By that I mean; running it through functions like: mysql_real_escape_string, htmlentities, addslashes, etc..

And always created hashes in PHP, rather than using database functions.
Databases log queries as plain text so sensitive data may be logged without your knowledge.
Sep 5 '08 #6

P: 24
Hi bnashenas

Thanks for your reply but I am still stuck at same place. As I mentioned I know I have to use sessions and cookies but where exactly on my code. I would really appreciate if you could please update my code with sessions and cookies.

Thanks

Hi
Here is what you have to do.
When a user logs in you put a session on the server which shows that the user is loged in. At the same time you can check if the user wants you to remember him/her then encrypt the username and password by MD5 function and put them on a cookie with a long lifetime.
What you need to do to remember the user is to check on each page if the cookie containing username and password exists or not then you don't have to ask for them again.

the reason i'm saying that you have to use MD5 function is because people can view information inside cookies, so it wont be secure to put them in a cookie without encryption

Hope this helps

Good luck
Sep 7 '08 #7

P: 24
Hi Atli,

I am still confused and it would be great if you could please update my code itself. I mean atleast modify my code so that I know where to use sessions and cookies in my script.

Thanks for all your effort.

Hi.

Yes, that is the general idea. Put a unique identifier into a cookie, which you can use to re-open a session without having to ask for the login info again.

What I usually do is create a hash out of several pieces of data, like say the user's name, password and the IP he is connecting from, and put that into a cookie, along with the user ID.
Then, when he comes back, you can re-create that hash and compare the new one with the one in the cookie. If they match, you can log him in again without asking for the login info.
Note that using the IP also protects (up to a point) against cookie hijacking.

I would advise using a hashing algorithm stronger than MD5 tho. It's old and relatively easy to hack. Using something like SHA1 or even one of the stronger variants of SHA is far more secure.
(Check out SHA1 and hash)
Sep 7 '08 #8

P: 24
Hi guys

I spent whole day today to add remember me option to my script but with no luck. All PHP gurus out there please help me out by modifying my script.

Thanks
Sep 8 '08 #9

100+
P: 258
Hi friend.
Sorry if I didn't have time to edit your script but I might be able to explain how to do what youre looking for.

Let me know if you can do it by using my instruction

Thanks
Sep 8 '08 #10

100+
P: 258
Hi again
I edited your script and put some cookie setting in it. But there are some thing you need to know about cookies. as I saw in your scripts you have included 2 file before setting the session.

Expand|Select|Wrap|Line Numbers
  1. include 'form-validation.php';
  2. include 'connect.php';
  3.  
It's ok with session to have html codes before settion the session AS LONG AS YOU PUT session_start() AT BE BEGINING OF THE PAGE

but it's not how cookies work. THERE MUST NOT BE ANY HTML CODE BEFORE set_cookie FUNCTION. not even a blank space.Otherwise it wont work .
Of course some of the web services ignore the blank space but some of them don't.

I'm sure you already know how this script works. when you check the remember me checkbox a cookie will be stored on the users machine containing his/her username and the other one is for password.

Next time user opens the login page he will be redirected to the sucess.php page because he has allready saved the information in cookies

Hope this code helps you..
Let me know if there is anything else I can help you with

<Code removed>

By the way , There was no need to change the other file (sucess.php). You can have it how ever you want

Good luck
Sep 8 '08 #11

P: 24
Hi bnashenas

Thanks very much for all the effort and time you put in to modify my script but my login screen still not working. When I open login screen I get this error document.getElementById(..) is null or not an object..

Please have a look.

Thanks
Sep 9 '08 #12

100+
P: 258
As I said in my previuse post there are 2 files included in login.php

Expand|Select|Wrap|Line Numbers
  1. include 'form-validation.php';
  2. include 'connect.php';
  3.  
There might be something wrong on those two files.
Please send all 4 files to my email to see whats wrong

I'll send my email to you by PM
Sep 9 '08 #13

Atli
Expert 5K+
P: 5,058
Hi.

A few things I would like to ask you to consider.

First, Dhiru1009.
We are not here to do your work for you.
We are happy to help you get through any problems and explain how they can be solved, but you will have to actually write your own code.

And bnashenas1984.
Please do not post complete solutions.
Like I say, we require that people do their own legwork, and handing them a complete solution is not a good way to help people learn.
Also, using emails or PM's to help solve a problem is not allowed. Post all relevant code samples and responses in the thread. That way everybody can benefit from this, not just the OP.

All of this is explained in the Posting Guidelines, which we require that all members read and follow when posting.

Thank you.
MODERATOR
Sep 9 '08 #14

Post your reply

Sign in to post your reply or Sign up for a free account.