What is the best way to implement “remember me” for a website?
Every user has unique 32 chars id (made of like this:
md5("salt" . $username . $user_password . "salt2");). And I store this value under ‘unique_id’ field in table users. Is it a good way to assign this value to user’s cookie and let him be logged in only if he has it assigned? And of course check it if that value exists in database?
I don’t think it’s a a good practise, because if someone steals your cookie, they will be able to log in to your account.
What’s the other/better solution? Of course the safest thing is probably just to store it in sessions, but I want to implement this remember me feature.
Say database table’s name for persistent cookie is pcookies with the following columns:
- cookie_id (CHAR)
- user_id (INT)
- expiry (DATETIME)
- salt (CHAR)
Cookie creation steps:
- After successful login, create a cookie record in database under an unique id. You may generate it by hash_hmac(‘sha512’, $token, $salt) where $token=uniqid($user_id, TRUE) and $salt=md5(mt_rand()).
- Store ‘user id’, ‘expiration time’ and ‘salt’ along with the ‘cookie id’ in database.
- Store ‘cookie id’ and ‘token’ in cookie.
- If there is a persistent cookie found, first check whether the record is available in database or not.
- If the record is available then check whether the cookie expires or not.
- If the cookie does not expire, then validate the cookie id by $cookie_id == hash_hmac(‘sha512’,$token_from_cookie,$salt_from_db).
- Once the cookie is validated, delete it from database and create a new cookie according to the above cookie creation steps.
- If the cookie is found as invalid, then clear the cookie from the device and delete all other cookie records of the user from database, notice the use about a theft attempt and proceed to manual login process.
- When session is available, ignore checking cookie.
- After logout, clear the cookie along with the database record.
- Never allow users to execute sensitive requests like password change or view credit card information from a persistent cookie login. Invoke password to login and add a flag in the session to allow all onward operations.
These two posts provide excellent implementation guidelines for persistent login cookies:
(Read them in the given order, since the second one improves the first one.)