search

Home >Backend Development >PHP Tutorial >How can I implement a secure 'Remember Me' feature using PHP and cookies?

How can I implement a secure 'Remember Me' feature using PHP and cookies?

Susan Sarandon
Susan SarandonOriginal
2024-11-11 00:26:02645browse

How can I implement a secure

PHP login system: Remember Me (persistent cookie)

Introduction

Implementing a "remember me" feature allows users to stay logged in even after closing their browsers. This feature enhances user convenience and improves the overall user experience. In this article, we'll delve into a secure way to store and verify cookies in a user's browser for a persistent login mechanism.

Storing Cookie Securely

To securely store a cookie, we utilize a separate table in the database:

CREATE TABLE `auth_tokens` (
    `id` integer(11) not null UNSIGNED AUTO_INCREMENT,
    `selector` char(12),
    `token` char(64),
    `userid` integer(11) not null UNSIGNED,
    `expires` datetime,
    PRIMARY KEY (`id`)
);

Process After Logging In

Upon successful login with the "remember me" option enabled:

  • Generate a 12-character selector (e.g., using base64_encode(random_bytes(9))).
  • Generate a 33-byte authenticator (e.g., using random_bytes(33)).

  • Set a cookie with the following values:

    'remember': $selector.':'.base64_encode($authenticator)
  • Store the selector, hashed authenticator, user ID, and expiration date in the auth_tokens database table.

Re-Authenticating on Page Load

To re-authenticate the user:

if (empty($_SESSION['userid']) && !empty($_COOKIE['remember'])) {
    list($selector, $authenticator) = explode(':', $_COOKIE['remember']);

    $row = $database->selectRow(
        "SELECT * FROM auth_tokens WHERE selector = ?",
        [
            $selector
        ]
    );

    if (hash_equals($row['token'], hash('sha256', base64_decode($authenticator)))) {
        $_SESSION['userid'] = $row['userid'];
        // Regenerate login token and update database
    }
}

Details of the Approach

  • Collision Resistance: Using 9 bytes for the selector provides 72 bits of keyspace, ensuring sufficient collision resistance.
  • Impersonation Protection: Storing a hashed authenticator in the database mitigates impersonation risks.
  • Timing Attack Countermeasures: Hashing the authenticator value before comparison and separating the selector from the authenticator prevent timing leaks.
  • Database Security: The auth_tokens table allows for easy deletion and expiration of expired tokens, maintaining database integrity.

The above is the detailed content of How can I implement a secure 'Remember Me' feature using PHP and cookies?. For more information, please follow other related articles on the PHP Chinese website!

php for date Cookie Logging using this table database
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Previous article:How to Indent Mixed PHP/HTML Code for Optimal Readability?Next article:How to Indent Mixed PHP/HTML Code for Optimal Readability?

Related articles

See more