473,320 Members | 1,978 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,320 software developers and data experts.

Remember me PHP script

Hi guys,

I have created a login system where user can enter their username and password which when validated will take user to new page with his or her name displayed on the screen, now I want to create a "Remember me" feature in my login screen so that when user select remember me it will remember user name everytime he or she opens the browser and remained logged in until they click on logout. I know it can be accomplished by using Session and Cookies but I have no idea how and where should I use them in my code. Here is my code for your reference:

Login.php

Expand|Select|Wrap|Line Numbers
  1. <?php
  2. session_start();
  3.  
  4.     if (isset($_POST['submit'])){
  5.       include 'form-validation.php';
  6.     include 'connect.php';
  7.  
  8.     $Name=addslashes($_POST['Name']);
  9.     $Username=addslashes($_POST['Username']);
  10.     $Password=md5($_POST['Password']);
  11.  
  12.     $result = form_validation_validate($_POST, "
  13.       Username Password : empty;
  14.       Username Password : len >= 3;
  15.       Username Password : chnum_; ");
  16. ?>
  17.  
  18.   <tr>
  19.   <td colspan="2">
  20.  
  21.   <?php
  22.  
  23.     if ($result === true){
  24.       $query = mysql_query("SELECT id FROM `login_tbl` WHERE `Username` = '$Username' AND `Password` = '$Password'"); 
  25.        list($user_id) = mysql_fetch_row($query); 
  26.  
  27.     if(empty($user_id)){
  28.     echo '<span style="color: #A71930"> No such login in the system. Please try again</span>'; 
  29.     }
  30.  
  31.     else{
  32.     $_SESSION['user_id'] = $user_id;
  33.     header('location: loginsucess.php');
  34.     $_POST = Array();
  35.     }
  36.   }
  37.   else echo '<span style="color: #A71930">' . $result . '</span>';
  38.   }
  39.   ?>
  40.   </td></tr>
  41.     <tr>
  42.       <td style="padding-bottom: 10px;" colspan="2" class="heading1"><b>Login Required</b></td>
  43.     </tr>
  44.     <tr>
  45.       <td height="30">Username:</td>
  46.       <td><input type="text" name="Username" style="width:15em;" value="<?php echo $_POST['Username']; ?>">
  47.       </td>
  48.     </tr>
  49.     <tr>
  50.       <td height="30">Password:</td>
  51.       <td><input type="password" name="Password" style="width:15em;" value="<?php echo $_POST['Password'];?>">
  52.       </td>
  53.     </tr>
  54.     <tr><td>&nbsp;</td>
  55.     <td><input name="submit" type="submit" value="Log-in" class="submit">
  56.     <input type="checkbox" name="remember" /><span style="color:#006f99;">Remember me</span><br /><br />
  57.       <a href="register.php">Register</a>  | <a href="resetpassword.php">Forgot your password?</a></td>
  58.     </tr></table></form>
  59.  
Loginsucess.php

Expand|Select|Wrap|Line Numbers
  1.  
  2. <?php
  3.     session_start(); 
  4.  
  5.     include_once 'connect.php';
  6.  
  7.     if(isset($_SESSION['user_id'])) {
  8.  
  9.     $query = mysql_query("SELECT Name FROM login_tbl
  10.                    WHERE ID = " . $_SESSION['user_id'] . " LIMIT 1")
  11.                    or die(mysql_error());
  12.  
  13.     list($Name) = mysql_fetch_row($query);
  14.  
  15.     echo '<span class="username">Hello, '. $Name  . '! <a href="logout.php" style="color:#FFFFFF">( Logout )</a></span>';
  16.  
  17. } else {
  18.  
  19.     echo 'Please login before opening the user panel.';
  20. }
  21. ?>
  22.  
Please help me with this...I found couple of scripts on net but to use them I have to make lot of changes to my script and I would prefer if someone can please update my existing script.Thanks guys and also letting you know that I am using PHP Version 5.2.3.
Sep 4 '08 #1
13 6038
Hi Guys,

Please help me. I am stuck with this problem.

Waiting for you guys to help me out.

Thanks
Sep 5 '08 #2
bnashenas1984
258 100+
Hi
Here is what you have to do.
When a user logs in you put a session on the server which shows that the user is loged in. At the same time you can check if the user wants you to remember him/her then encrypt the username and password by MD5 function and put them on a cookie with a long lifetime.
What you need to do to remember the user is to check on each page if the cookie containing username and password exists or not then you don't have to ask for them again.

the reason i'm saying that you have to use MD5 function is because people can view information inside cookies, so it wont be secure to put them in a cookie without encryption

Hope this helps

Good luck
Sep 5 '08 #3
Atli
5,058 Expert 4TB
Hi.

Yes, that is the general idea. Put a unique identifier into a cookie, which you can use to re-open a session without having to ask for the login info again.

What I usually do is create a hash out of several pieces of data, like say the user's name, password and the IP he is connecting from, and put that into a cookie, along with the user ID.
Then, when he comes back, you can re-create that hash and compare the new one with the one in the cookie. If they match, you can log him in again without asking for the login info.
Note that using the IP also protects (up to a point) against cookie hijacking.

I would advise using a hashing algorithm stronger than MD5 tho. It's old and relatively easy to hack. Using something like SHA1 or even one of the stronger variants of SHA is far more secure.
(Check out SHA1 and hash)
Sep 5 '08 #4
bnashenas1984
258 100+
Hi atli and thanks for sharing your ideas.I thought MD5 is the strongest encryption method because it's a one way encrymping function.

But anyway I just wanted to mention that putting passwords in database without encrypting it is NOT safe. I know it's not possible for users to reach information in our database but the reason is that there are some hacking ways to log in with a fake password. I think it's called for (Database Injection).

Here is one good example I could come up with.

Lets say you check your MYSQL database like this.

Expand|Select|Wrap|Line Numbers
  1. SELECT * FROM users WHERE username='$username' AND password='$password'
  2.  
Think what happens if the user put's something like this in the password text box:
' OR password='%

then the query will be like this :
Expand|Select|Wrap|Line Numbers
  1. SELECT * FROM users WHERE username='$username' AND password='$password' OR password='%'
  2.  
Sorry if this example does not work properly but this is how hackers use database injection.

BUT if we encrypt passwords before putting it in the database then there will be no way to use a fake password because the variable will also be encrypted before putting in the query.

One other thing I wanted to ask you. You said it's possible to hack a MD5 encryption. Do you know how? I'm really interested because I thought it's a one way function


Thanks again

Behzad
Sep 5 '08 #5
Atli
5,058 Expert 4TB
MD5 is technically not an encryption algorithm. It is a hashing algorithm.
The difference is that encryption usually allows for decryption, while hashing is non-reversible.

SHA1 (and the other SHA variants), as well as several other hashing algorithms, were developed *after* MD5 using more refined methods and longer output strings. (MD5 is 128bits, SHA1 is 160bits... Other variants are even longer.)
But they are all non-reversible, just like MD5.

There is no way to "decrypt" a hash, but using a brute-force attack you can attempt to *guess* the string used. I am not saying this is easy or quick, but relative to SHA1, MD5 is far more likely to be broken by this sort of an attack.

There is also the fact that because of how popular and widely used MD5 is, there exist huge databases that store MD5 hashes for millions of much used and randomly generated strings that can be consulted to find the input for a given hash. So breaking the hash may not even be needed.

As to the SQL Injection problem.
Hashing passwords does help up to an extent, but that doesn't necessarily mean your queries are safe from it.

You should ALWAYS sanitize user input before using it. By that I mean; running it through functions like: mysql_real_escape_string, htmlentities, addslashes, etc..

And always created hashes in PHP, rather than using database functions.
Databases log queries as plain text so sensitive data may be logged without your knowledge.
Sep 5 '08 #6
Hi bnashenas

Thanks for your reply but I am still stuck at same place. As I mentioned I know I have to use sessions and cookies but where exactly on my code. I would really appreciate if you could please update my code with sessions and cookies.

Thanks

Hi
Here is what you have to do.
When a user logs in you put a session on the server which shows that the user is loged in. At the same time you can check if the user wants you to remember him/her then encrypt the username and password by MD5 function and put them on a cookie with a long lifetime.
What you need to do to remember the user is to check on each page if the cookie containing username and password exists or not then you don't have to ask for them again.

the reason i'm saying that you have to use MD5 function is because people can view information inside cookies, so it wont be secure to put them in a cookie without encryption

Hope this helps

Good luck
Sep 7 '08 #7
Hi Atli,

I am still confused and it would be great if you could please update my code itself. I mean atleast modify my code so that I know where to use sessions and cookies in my script.

Thanks for all your effort.

Hi.

Yes, that is the general idea. Put a unique identifier into a cookie, which you can use to re-open a session without having to ask for the login info again.

What I usually do is create a hash out of several pieces of data, like say the user's name, password and the IP he is connecting from, and put that into a cookie, along with the user ID.
Then, when he comes back, you can re-create that hash and compare the new one with the one in the cookie. If they match, you can log him in again without asking for the login info.
Note that using the IP also protects (up to a point) against cookie hijacking.

I would advise using a hashing algorithm stronger than MD5 tho. It's old and relatively easy to hack. Using something like SHA1 or even one of the stronger variants of SHA is far more secure.
(Check out SHA1 and hash)
Sep 7 '08 #8
Hi guys

I spent whole day today to add remember me option to my script but with no luck. All PHP gurus out there please help me out by modifying my script.

Thanks
Sep 8 '08 #9
bnashenas1984
258 100+
Hi friend.
Sorry if I didn't have time to edit your script but I might be able to explain how to do what youre looking for.

Let me know if you can do it by using my instruction

Thanks
Sep 8 '08 #10
bnashenas1984
258 100+
Hi again
I edited your script and put some cookie setting in it. But there are some thing you need to know about cookies. as I saw in your scripts you have included 2 file before setting the session.

Expand|Select|Wrap|Line Numbers
  1. include 'form-validation.php';
  2. include 'connect.php';
  3.  
It's ok with session to have html codes before settion the session AS LONG AS YOU PUT session_start() AT BE BEGINING OF THE PAGE

but it's not how cookies work. THERE MUST NOT BE ANY HTML CODE BEFORE set_cookie FUNCTION. not even a blank space.Otherwise it wont work .
Of course some of the web services ignore the blank space but some of them don't.

I'm sure you already know how this script works. when you check the remember me checkbox a cookie will be stored on the users machine containing his/her username and the other one is for password.

Next time user opens the login page he will be redirected to the sucess.php page because he has allready saved the information in cookies

Hope this code helps you..
Let me know if there is anything else I can help you with

<Code removed>

By the way , There was no need to change the other file (sucess.php). You can have it how ever you want

Good luck
Sep 8 '08 #11
Hi bnashenas

Thanks very much for all the effort and time you put in to modify my script but my login screen still not working. When I open login screen I get this error document.getElementById(..) is null or not an object..

Please have a look.

Thanks
Sep 9 '08 #12
bnashenas1984
258 100+
As I said in my previuse post there are 2 files included in login.php

Expand|Select|Wrap|Line Numbers
  1. include 'form-validation.php';
  2. include 'connect.php';
  3.  
There might be something wrong on those two files.
Please send all 4 files to my email to see whats wrong

I'll send my email to you by PM
Sep 9 '08 #13
Atli
5,058 Expert 4TB
Hi.

A few things I would like to ask you to consider.

First, Dhiru1009.
We are not here to do your work for you.
We are happy to help you get through any problems and explain how they can be solved, but you will have to actually write your own code.

And bnashenas1984.
Please do not post complete solutions.
Like I say, we require that people do their own legwork, and handing them a complete solution is not a good way to help people learn.
Also, using emails or PM's to help solve a problem is not allowed. Post all relevant code samples and responses in the thread. That way everybody can benefit from this, not just the OP.

All of this is explained in the Posting Guidelines, which we require that all members read and follow when posting.

Thank you.
MODERATOR
Sep 9 '08 #14

Sign in to post your reply or Sign up for a free account.

Similar topics

15
by: Joshua Beall | last post by:
Hi All, What is the best way to use a cookie to remember a logged in user? Would you store the username and password in two separate cookies? Should the password be plain text? Hashed? Not...
16
by: Konrad Viltersten | last post by:
Suppose you got a really long page and you'd like to enable the user (supposedly, there's only one but if it's not to difficult we could extend that to any number) not to have to scroll to the...
1
by: Daniel | last post by:
hi, I had an asp:listbox, and everytime i click item inside, the bar automatically go to the top, is there any way to keep the scroll position? I turn on the smartNavigation, it still doesn't...
2
by: Shakun | last post by:
Hi All, This is my 1st posting to this group. Can any1 help me with the "Remember Me" which is there in a login form. Im pasting the code below. Im not able to set a cookie.. Thanks, Shakun...
2
by: Andrea | last post by:
Sime times ago I was reading about web controls that automatically remove html control passed when a form is postback ... but I don't remember the msdn link as well as the name of this prevention...
0
by: Frank Miverk | last post by:
Hi, I am not understanding how the Remember Me checkbox is supposed to work here. I have a LoginCtrl (asp.net 2.0, framework 2.0) and all I want to do is remember the user the next time if they...
2
by: Alex Hunsley | last post by:
I can remember Python having a feature which allowed you to add some simple tests to your code, something like adding console output to your actual python script, like so: 2 14 .... then...
28
by: jatrojoomla | last post by:
Hi! could anyone give me some clue that how to create 'remember login' functionality during login Thanks Sukalyan
4
by: MissElegant | last post by:
Hi every body I wanna find someone in here who'd create me a 5-star rating system for my website using Javascript. The script should accept the rating a user made and place a cookie on the...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.