How can I create a secured “remember me” system using PHP?

Question

I have a login system. How can I implement a secure remember me system using cookies.

What value should I have to store in cookie username and password, but how I can secure it?

Answer 1

define A Salt foreach user in db then

on setting

$expire_time = time() + 2 * 7 * 24 * 3600; // 2 weeks exp time

setcookie( 
    "rememberMe",
    crypt($username, $salt),
    $expire_time,
    '/'
);

on validating

$_COOKIE['rememberMe'] === crypt($username, $salt)

Answer 2

Maybe you could create a 16 char letter/number string that is associated in a database with that user and the mac address so that (as long as people aren't trying too hard and spoofing macs) only that machine can log on.

Answer 3

Maybe you should store (in your DB) visitor IP, User Agent, time zone or installed plugins. Something that might be easy to get using Javascript, since getting MAC address might be a problem.

Then you can easily check if user has same IP, UA, time zone or plugins as last time :) Or you might use MaxMind to check his location and confirm if he is using correct time zone. If there's anything suspicious you should discard cookie credentials.

Answer 4

There's not much to it... don't let your session files get cleaned up (ini setting session.gc_probability = 0), and change the session cookie from temporary to permanent (ini setting session.cookie_lifetime = however_long_you_want_the_user_to_be_remembered).

Of course, you'd probably want to eventually clean up stale session files, so you could experiment with a very low probability of the cleanup occuring, or do some external cleanup. Either way, as long as the user keeps the session cookie around and you keep the session file around, they'll be "remembered".