Can not keep user logged in with cookie or session

Question

I am having a bit of trouble. i am working on a small cms. When i login everything is fine. but if i sit there the session seems to require me to login again after 3 minutes maybe. so I tried to implement a remember me feature. and have no luck with it either. it also still require me to login.

in my functions I have the following code snip.

function logged_in(){

    if(isset($_SESSION['email']) || isset($_COOKIE['email'])){
        return true;
    } else {
        return false;
    }
}

Then i created another function that if the page requires login and your not logged in. it will redirect.

function require_loggin(){

    if (logged_in()) {} else {

        redirect(ROOT_URI);
    }
}

now on all the pages that require loggin i have this in the header of the page.

<?php require_loggin(); ?>

and this is my post data for the login page.

$email = clean($_POST['email']);
$password = clean($_POST['password']);
$remember   = isset($_POST['remember']);

and finally my login.

function login_user($email, $password, $remember){

        $active = 1;

        $connection = dbconnect();
        $stmt = $connection->prepare('SELECT user_pwd, user_email, uid, username FROM users WHERE user_email = ? AND active= ?');
        $stmt->bind_param('ss', $email, $active);
        $stmt->execute();
        $result = $stmt->get_result();

        if ($result->num_rows == 1) {
            $row = $result->fetch_array();
            $db_password = $row['user_pwd'];

            if (password_verify($password, $db_password)) {

                if($remember == "on") {
        setcookie('email', $email, time() + 86400);
        }

                $_SESSION['uid'] = $row['uid'];
                $_SESSION['email'] = $row['user_email'];           
                $_SESSION['username'] = $row['username'];

                return true;
            } else {
                return false;
            }
            return true;
        } else {
            return false;
   }
}

everything works with no error. login and logout are fine..

The issue is that once they login the default session dies in about a 4 minutes if they are not clicking links. and the remember me function wont work.. I read some where that a default session should last about 30 minutes. but the session requires login after 4 minutes of not moving through the site.

Someone mentioned to me about Garbage Collection but I have to admit I am totally lost on it.

I am still fairly new to php and I want to learn the correct way not the incorrect way. my project works great i just cannot keep a user logged in or get the remember me to function.

Answer 1

I recommend creating an application config file.. call it config.php and include it at the top of your pages. As simple as your application appears I'm assuming your not using an auto loader. Include the following snippit in it:

<?php
    /**
     * File: config.php
     * This file should be included in every php script to configure the session. Like this:
     * require_once('config.php');
     */

    /*
     * This is 30 minutes. The length only depends on the requirements of 
     * your application. 
     */
    $sessionLength = 30 * 60; 
    ini_set(’session.gc_maxlifetime’, $sessionLength);
    ini_set(‘session.gc_maxlifetime’,30);

    session_set_cookie_params($sessionLength , "/", "yourdomain.com")
    session_name('PHPSESSION'); 
    session_start(); 
    //This will force the cookie to reset with a new timeout on every page load.
    setcookie( session_name(), session_id(), time() + $sessionLength );

?>

Answer 2

Update:

Edit number 9 of the question has changed the question quite dramatically and this answer (and most of the other answers) no longer apply.

This answer was in response to edit number 7 of the question (when the bounty was started).

Leaving this here so visitors know why there are so many answers and comments relating to "session length" when the question, as it currently stands, does not reference it. Will delete the answer when wrapped up.

---

Run the following php file in your browser:

<?php

echo 'Session Cookie Lifetime: '. ini_get('session.gc_maxlifetime') . ' (The number of seconds after which data will be seen as \'garbage\' and potentially cleaned up.)<br>';
echo 'Session Cookie Lifetime: '. ini_get('session.cookie_lifetime') . ' ( the lifetime of the cookie in seconds which is sent to the browser. The value 0 means &quot;until the browser is closed.&quot;)<br>';

phpinfo();

?>

If either of the two values at the top are "around 4 minutes" (240 seconds) then you need to adjust them in your PHP config.

Failing that, the phpinfo() output below should tell you all you need to look for: e.g.

• if you have another script that deleted files from the session path (see "session Save Path" in ) then you'll also lose the session;
• if you're not using cookies (I assume you are, otherwise you'll see a PHPSESS parameter on all the URLs) then
• if PHP/Apache/ISS etc should "restart" then you'll lose all the sessions
• (Don't be fooled by session.cache_expire=180; that 180 is minutes, not seconds, and unrelated to this.)

Answer 3

Based on the latest edit of your question (9), and the codebin as it stands right now (please stop editing the question and code - create a new question if it changes that much!)

Your call to login_user($email, $password) does not pass the $remember variable as expected in the declaration

function login_user($email, $password, $remember)

So it'll never set the cookie.

Tips:

• when debugging, just type echo $remember . "<br>"; or echo "I'm Here<br>; or echo "I'm at " . __FILE__ . "/" . __LINE__ . "<br>"; or similar in your code at various points so you know where it's tracking. You'll see that it never gets to the "setcookie" line
• turn on ALL error reporting for debug/development purposes. error_reporting(E_ALL); and ini_set('display_errors', 'on'); as this will reveal your problem
• If you use a cookie, don't store something easily decodable (like a base64 string, as you are doing) but store reference to a "permanent session" you save on the server. Any hacker would instantly recognize a base64 string (see those equals sign(s) at the end? - base64 is the first thing that springs to mind). I could change one letter and log in as someone else using your code.
• There are some more tips about creating a good session system (i.e. if you're using cookies for "remember me", then you may as well not use the session_start() sessions and do it all yourself) but that then leads to suggestions you should use a library if you're not 100% sure of your logic and security - and given the base64_decode issue that's true. Hopefully your verify_password is not self-written but something commmercial? Perfect for learning but have someone check over the code before launching if you want it to go live.

Good luck

(And please, don't change the question again! No one will want to help you.)

Answer 4

First of all try adding this line before your 'session_start()' statement:

session_set_cookie_params(3600,"/");

If that did not work, You have 3 options:

1) Change the value of this line in your php.ini to 1800

session.gc_maxlifetime

2) Put this in your .htaccess file:

php_value session.cookie_lifetime 1800
php_value session.gc_maxlifetime 1800

1800 is in seconds, so it is half an hour.

3) If you dont have access to .htaccess, you can put this in your header:

ini_set('session.cookie_lifetime','1800');  

Debian has a cron job to automatically expire sessions for security measures. If you are using Debian check /etc/cron.d/php*

RESOURCES:

http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime http://php.net/manual/en/function.session-set-cookie-params.php

Answer 5

you have not mention how u r using logged_in function?
when you close a browser your session will destroy so userid, username, email value will be null.
After checking a cookie value is set or not based on cookie value you have to fetch corresponding values from database and set the values in session. you have to follow this kind of flow for acheaving persistance login system. I hope this answer help u in understanding this login system.

Answer 6

Check Robbie answer.

In case you can not adjust PHP configuration you can use HTTP Auth as well. It does not expires. However in this case, the password is transmitted every time visitor request a webpage.

Answer 7

This is a wrong way to handle this. In order to implement cookie auto login, you should store all your required login data in the cookie. But you must encrypt them to prevent problems later.

Example Cookie:

toke = USER_ID:USER_NAME:HASHED_PASSWORD

The colon is the separator so you can use explode to get components of the login token. Then you can check these info with the database entries.

Good Luck!