PHP: Creating 'Remember Me' using cookies

There is a mobile optimized version of this page, view AMP Version.

PHP Sessions are great, they allow us to easily store information about a client without that client having ANY access to that data. In fact all they have is a “key” which links up to a session file stored on the server which PHP accesses behind the scenes.

This makes sessions very secure for us, we know that the user cannot change the data so we can store anything, don't need to validate data or be careful and obfuscate anything personal to that user.

However sessions are only meant to be temporary and PHP regularly cleans them up, so we know we cannot rely on them to keep information for long periods of time.

So how do we do a “remember me?” feature on our login forms? Well its easy if you create your remember me using cookies!


Remember Me Cookie

The easiest approach is to use a cookie to store required information so if the session is destroyed we can re-create it, it is important though to remember that not only can the client view the values of their cookies, but they can also modify them at will. With this in mind you should only store data that is essential for restoring the session, and nothing else.

What I decided to do was to simply store the user id, this value is unique and doesn't contain anything sensitive.

However as stated above the user could change this value, so it is good practice to create a md5 hash that we can then use to make sure this value was not changed by the user and is valid.


Creating The cookie

When the user logs in they are asked if they would like the site to remember their login, the code then checks if this has been selected by seeing if $_POST[‘remember’] is set, we then set the customers unique id and a hash of that ID (with a random string surrounding it for added security). The hash will be explained more later…

//setup a cookie
if (isset($_POST['remember'])) {
	setcookie("customer_id", $customer_id, ((time()+3600) * 24) * 7);
	setcookie("hash", md5('rand_3453*' . $customer_id . '_87@hashHASH'), ((time()+3600) * 24) * 7);

time() + 3600, gives us one hour from now, * 24, gives us one day from now and * 7, gives us a total of 7 days from now, so our cookie is set to last 7 days in total before being deleted by the browser.


No session? Eat a cookie…

We now need to add a check when there is no session, the check will immediately check for a cookie instead and if it exists we wil check the HASH to make sure nothing bad has happened to the value, and if everything checks out we will restore that users session.

//if session isnt active but a cookie exists load the user back up.
if (((isset($_SESSION['loggedin']) && $_SESSION['loggedin'] === false) || !isset($_SESSION['loggedin'])) && isset($_COOKIE['loggedin'])  && $_COOKIE['loggedin'] == 1) {
	$hash = $_COOKIE['hash'];
	$id = $_COOKIE['customer_id'];
	if ($hash == md5('rand_3453*' . $id . '_87@hashHASH')) {
		$_SESSION['loggedin'] = true;
		$_SESSION['customer_id'] = $id;
	} else {
		//destroy the cookie, its been tampered with.
		setcookie("loggedin", '', time() - 9999);
		setcookie("customer_id", '', time() - 9999);
		setcookie("hash", '', time() - 9999);

Obviously you will need to adapt the code above to suit your project and what is needed for a logged-in session, but hopefully the example is enough to give you ideas, always remember, sessions are on your physical server but cookies are not - so if you EVER use a cookie to store anything make sure you take precautions, and NEVER store sensitive information in a cookie directly as this could expose your visitor to data theft via third party software such as malware and viruses.

Author: Dean Williams

I'm a Web Developer, Graphics Designer and Gamer, this is my personal site which provides PHP programming advice, hints and tips

Post Tags:
, ,