I wanted to implement the secure login script from WikiHow in my project. I have got it working in CodeIgniter. I want to modify it a bit by logging out a user when he closes the browser (unless he checked Remember Me
on the login page).
This is the login function (assume every variable is set because the function won't be called unless they are).
public function login() {
$error_msg = array();
// the email and password validation is here
// if error is found its pushed into the $error_msg array
// find the user corresponding to the given email address
$sql = "SELECT user_id, username, password, salt FROM users WHERE email = ? LIMIT 1";
$query = $this->db->query($sql, $email);
if ($query) {
if ($query->num_rows() == 1) {
$result = $query->row();
// user is found
// hash the pass with the salt
$password = hash('sha512', $password.$result->salt);
// check for number of tries
if ($this->check_brute($result->user_id) == TRUE) {
// account locked for repeated failed login attempts
$error_msg[] = "<p>Account is locked due to repeated failed login attempts.</p>";
// return FALSE;
} else {
// check password
if ($password == $result->password) {
$user_browser = $this->security->xss_clean($_SERVER['HTTP_USER_AGENT']); // browser
$user_id = preg_replace("/[^0-9]+/", "", $result->user_id);
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $result->username);
// i want to set the cookie expiry time depending on the
// remember me checkbox
if ($_POST['remember']) {
}
// i am guessing somekinda cookie manipulation should
// take place here
// assign session variables
$_SESSION['user_id'] = $user_id;
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password.$user_browser);
return TRUE; // login success
} else {
// wrong password input
// add activity in database
$sql = "INSERT INTO login_attempts (user_id, time) VALUES (?, ?)";
$this->db->query($sql, array($result->user_id, time()));
$error_msg[] = "<p>ERR PASS: Username/password combination is incorrect.</p>";
// return FALSE;
}
}
} else {
// user doesnt exist
// return FALSE;
$error_msg[] = "<p>NO USR: Username/password combination is incorrect.</p>";
}
}
return $error_msg;
}
And this is the code for the session starting:
public function sec_session_start() {
$session_name = "sec_session_id";
$secure = FALSE; // dev mode
$httponly = TRUE;
if(ini_set('session.use_only_cookies', 1) === FALSE) {
$error_msg = '<p>Could not initiate a secure session.</p>';
return $error_msg;
}
$cookieParams = session_get_cookie_params();
session_set_cookie_params(
$cookieParams['lifetime'],
$cookieParams['path'],
$cookieParams['domain'],
$secure,
$httponly);
session_name($session_name);
session_start();
session_regenerate_id(TRUE);
return TRUE;
}
The only place where there is a reference to cookies is in the logout function where it is unset. What should I do to set the cookie expiry time when a user logs in depending on their choice on "Remember me"?