I'm new to cookies and (PHP in general actually) and I want to implement a "remember me" system for the website I'm working on. After reading a lot of posts here and also on other website, I understand that I shouldn't put password or any other input from the user in the cookie. One solution was to user a remember_key
in the database table, which gets regenerated each time a user signs in with "remember me" checkbox checked. And when the user visits the page again, the code should select remember_key
from the db and check if $_COOKIE['remember']
is the same as remember_key
, if it is then the user is logged in. But I'm not sure how to implement this. I have written some code in the way I thought I should, but I could use some help to see if what I already have is right and how to proceed. This is what I have now:
function rememberUser($id) {
$remember = md5(uniqid(mt_rand(),true));
$stmt = $mysqli->prepare("UPDATE USERS SET USER_REMEMBER_KEY = ? WHERE USER_ID = ?");
$stmt->bind_param('si', $remember, $id);
$stmt->execute();
setcookie("remember", $remember, time()+60*60*24*30, "/", "www.someName.com", false, true);
}
function isValidUser($id) {
$stmt = $mysqli->prepare("SELECT * FROM USERS WHERE USER_REMEMBER_KEY = ? AND USER_ID = ?");
$stmt->bind_param('si', $_COOKIE['remember'], $id);
$stmt->execute();
$stmt->store_result();
$count = $stmt->num_rows;
if($count == 1) {
return true;
}
else {
return false;
}
}
function forgetUser($id) { // not sure about this method at all!
setcookie("remember", '', time()-3600, "/", "www.someName.com", false, true);
}
forgetUser()
will delete $_COOKIE['remember']
(or the value of it?), but how does it know that it is the cookie for that particular person? I would like any comment/suggestion/tip/hint or anything else on the code I have now and how I can improve it.
For your information I already know about sessions, they're easy to use and more secure (I guess), but I need to keep users logged in for a longer time (like FB) and sessions are not good enough for that. I also heard that giving sessions a long lifetime won't guarantee their deletion.
About security: my website doesn't need to be super super secure, I think just this token will be enough?