(PHP) Why Password Lost After Browser Closed

Question

I want to store passwords for users on my site. At login, no problem and everything is running normally. However, after the Closed the browser, the cookie is deleted, so that the password and username disappeared.

A php script like this

<?php
}
else
{
    $ousername = '';
    if(isset($_POST['username'], $_POST['password']))
    {
        if(get_magic_quotes_gpc())
        {
            $ousername = stripslashes($_POST['username']);
            $username = mysql_real_escape_string(stripslashes($_POST['username']));
            $password = stripslashes($_POST['password']);
        }
        else
        {
            $username = mysql_real_escape_string($_POST['username']);
            $password = $_POST['password'];
        }
        $req = mysql_query('select password,id from users where username="'.$username.'"');
        $dn = mysql_fetch_array($req);
        if($dn['password']==sha1($password) and mysql_num_rows($req)>0)
        {
            $form = false;
            $_SESSION['username'] = $_POST['username'];
            $_SESSION['userid'] = $dn['id'];
            if(isset($_POST['memorize']) and $_POST['memorize']=='yes')
            {
                $one_year = time()+(60*60*24*365);
                setcookie('username', $_POST['username'], $one_year);
                setcookie('password', sha1($password), $one_year);
            }
?>

What is the best solution to this problem? Thanks for the answer

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Jan 13 '16 at 22:06
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Jan 13 '16 at 22:06
Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Jan 13 '16 at 22:07
it's a session cookie. they default to being "for the life of the browser session". when the browser closes, they're gone. — Marc B, Jan 13 '16 at 22:07
[Allow users to use the passwords/phrases they want to use.](https://xkcd.com/936/) [Don't limit passwords](http://jayblanchard.net/security_fail_passwords.html) — Jay Blanchard, Jan 13 '16 at 22:07
@SigitPurnomo Jay is not really providing an answer to your main question, but he's providing a LOT of other advice you should still follow even when you do get an answer to your question. There's an incredible amount of problems with your code. Learn some good habits before you expose your users to even more security risks. — Evert, Jan 13 '16 at 22:16
For every 2 lines of code in your source you posted, there's a problem in 1 of them. I'm not exaggerating. — Evert, Jan 13 '16 at 22:17
@Jay Interesting article, but any system is only as secure as its weakest link. If the users will be granted any sort of administrative privileges (power to affect entities not directly owned by themselves), enforcing secure passwords is still advisable. — Typel, Jan 13 '16 at 22:18
@Evert - Yes thank you for your advice. I'm just learning php and now I'm really confused — Sigit Purnomo, Jan 13 '16 at 22:21
Perhaps @Typeless. In several test cases, when offered no limit on passwords / phrases, folks nearly always chose a phrase longer than any typically enforced password limitation. Admin personnel, in surveys, have always desired to have the ability to create long, meaningful security phrases. — Jay Blanchard, Jan 13 '16 at 22:23
@SigitPurnomo judging from the code you wrote so far, I would have to guess that you're learning PHP based of text written a long time ago. I would strongly recommend you look for some up to date resources instead. Something from the last 3 years. — Evert, Jan 13 '16 at 22:24
@SigitPurnomo not only will your code be better, I guarantee it's more fun and easier to get into modern PHP. I don't want to discourage you, but I have to stress that this is _really really bad_. — Evert, Jan 13 '16 at 22:25
I have tested two different php script code to register and login. But both problematic when the browser is closed. Can anyone give an example of a modern script that active session does not disappear when the browser is closed? — Sigit Purnomo, Jan 14 '16 at 20:29
@Ryan - I've been showing an active session in login.php file if it is not correct? — Sigit Purnomo, Jan 14 '16 at 20:47
yes, I've read but can not absorb the intent of the author :) Is this trick can be used in .htaccess? because i search on google did not find results — Sigit Purnomo, Jan 14 '16 at 21:26

(PHP) Why Password Lost After Browser Closed

0 Answers0