Remembering and validating user using cookies

Question

I'm new to cookies and (PHP in general actually) and I want to implement a "remember me" system for the website I'm working on. After reading a lot of posts here and also on other website, I understand that I shouldn't put password or any other input from the user in the cookie. One solution was to user a remember_key in the database table, which gets regenerated each time a user signs in with "remember me" checkbox checked. And when the user visits the page again, the code should select remember_key from the db and check if $_COOKIE['remember'] is the same as remember_key, if it is then the user is logged in. But I'm not sure how to implement this. I have written some code in the way I thought I should, but I could use some help to see if what I already have is right and how to proceed. This is what I have now:

function rememberUser($id) {

    $remember = md5(uniqid(mt_rand(),true));
    $stmt = $mysqli->prepare("UPDATE USERS SET USER_REMEMBER_KEY = ?    WHERE USER_ID = ?");
    $stmt->bind_param('si', $remember, $id);
    $stmt->execute();
    setcookie("remember", $remember, time()+60*60*24*30, "/", "www.someName.com", false, true);
}

function isValidUser($id) {

    $stmt = $mysqli->prepare("SELECT * FROM USERS WHERE USER_REMEMBER_KEY = ? AND USER_ID = ?");
    $stmt->bind_param('si', $_COOKIE['remember'], $id);
    $stmt->execute();

    $stmt->store_result();
    $count = $stmt->num_rows;

    if($count == 1) {
        return true;
    }
    else {
        return false;
    }
}

function forgetUser($id) { // not sure about this method at all!

    setcookie("remember", '', time()-3600, "/", "www.someName.com", false, true);

}

forgetUser() will delete $_COOKIE['remember'] (or the value of it?), but how does it know that it is the cookie for that particular person? I would like any comment/suggestion/tip/hint or anything else on the code I have now and how I can improve it.

For your information I already know about sessions, they're easy to use and more secure (I guess), but I need to keep users logged in for a longer time (like FB) and sessions are not good enough for that. I also heard that giving sessions a long lifetime won't guarantee their deletion.

About security: my website doesn't need to be super super secure, I think just this token will be enough?

That looks pretty well thought out. Remember you can also use PHP sessions [PHP](http://www.php.net/manual/en/function.session-start.php), it also stores a hash unique to the session. — Bradmage, Mar 11 '12 at 15:54
But I already explained sessions don't stay undeleted long enough for me :) — Loolooii, Mar 11 '12 at 16:01
I was just looking at the text at the bottom, and wasn't sure if you just added it, or I've it's cause I'm struggling to keep my eyes open :) sorry. — Bradmage, Mar 11 '12 at 16:02
http://stackoverflow.com/search?q=%5Bphp%5D+persistent+login+cookie - also please see the Related column on the right --> — hakre, Mar 11 '12 at 16:03
Good catch, personally I like to just use SSL certificates and drop a whole heap of authentication / security issues. — Bradmage, Mar 11 '12 at 16:07
Exemplary: [Cookie token authentication login method](http://stackoverflow.com/questions/9117300/cookie-token-authentication-login-method) - Also [How to delete a cookie?](http://stackoverflow.com/search?q=%5Bphp%5D+How+to+delete+a+cookie%3F&submit=search) — hakre, Mar 11 '12 at 16:09
As well as [What is the best way to implement “remember me” for a website?](http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website) — Leigh, Mar 11 '12 at 16:26

score 1 · Accepted Answer · answered Mar 11 '12 at 16:01

I use the session for the secure part, and use either a hash or a user_id in the cookie. The cookie can only be accessed by your site. So unless someone else logs in on the same computer, if you have a long enough expiry, the cookie will just sit there. So the next week when they go back to your site, and it reads the cookie, you just start (What ever your version of a session is) with the user_id or hash that's stored in your database. If the hash doesn't match, the user has to login again.

I hope that's what you were after.

Edit:

// I can't remember why right now, But I found to delete the cookie properly,
// after setcookie, I had to unset the $_COOKIE also.
setcookie("userid", "", time() - 3600);
unset($_COOKIE['userid']);

Actually what you explained, is what I already know about cookies. I know that cookies are stored on the user's PC and sessions on the server. The third method is what I'm not sure about. Is that the right way to delete the cookie? Thanks. — Loolooii, Mar 11 '12 at 16:05
No problems, good to see not everyone gets angry when they don't get the right answer first go. — Bradmage, Mar 11 '12 at 16:14

Remembering and validating user using cookies

1 Answers1