Hey, guys.

Can someone tell me, or point me in the right direction, how to save a person's username and password. Basically, when someone logs in, I want them to have the option to remain logged in even if they leave the site. Currently, my site uses sessions, not cookies.

Sessions are essentially cookies which point to a file of information on a server.

I would recommend you set a cookie containing the username/pass (Encrypted of course) user side which when present logs them in (Quite similar to what lots of forums do I think).

The code would be something like:

PHP Code:

<?php
$value = base64_encode("$Username"."$Password"); // Quite insecure. You would need to unravel with a base64_decode and a split. 
$expiretime = time()+3600; // this would mean, in a days time.
setcookie("logininfo", $value, $expiretime, "/example_folder/", ".example.com", 1, true);
?>

Thats quite a bad example, but a good prod in the right direction

If you want better security md5 the username and pass with salt along with a session info. Then possibly a bit of extra info in the cookie (like access IP and so on). It's also a bad idea to have a cookie name as "logininfo", but that was me just being quick.
For more information on cookies see:
http://uk2.php.net/manual/en/function.setcookie.php

Bad idea...
Never ever store the password in a cookie. Even if it's encrypted.
The encryption is to make harder the work of a hacker who did get in, not the 1st line of defense...

What I usually do is that I save a hash in the database for each users, and set the cookie with that same hash with a validity of a week, or so.

Then, each page view update the hash value both in db and in the cookie, and it update the cookie validity.
This way, the content is changing for each requests the user do.

Now, when a user which is not identified comes, look for the value of that hash in the cookie, and log in automatically if the content match 1 record.

That way, no username nor password are in the cookie, end the entropy on the checked field makes it a lot harder to overcome.

Quote:

Originally Posted by tripy

What I usually do is that I save a hash in the database for each users, and set the cookie with that same hash with a validity of a week, or so.

Heh, I was going to cover that hehe ^^ Though that still raises the problem of if the computer/cookies gets stolen. A hacker could just do a JS injection and create to cookie themselves and there in.

Either way, it's all round never a great idea to store info user side. They sometimes block/delete them. For certain levels of security it's normally a good idea just to use sessions.

I think in most cases it should be okay to store a user id in a cookie, unless security is a huge thing.

I personally use something which on every page load checks the session and cookie status, if cookie isset but session isnt it resets the session.

Dan