

How is "remember me" functionality implemented in famous websites? - yassersouri

I want to implement a login system of my website. I want to know how can I implement a "remember me" functionality. I've read about this on the web, but I want to know how this is implemented by the big guys like Google, Facebook or Amazon.
======
bl4k
They simply set a second cookie ID with a much longer expiration.

With most webapp frameworks, the default cookie that is set for session
management only lasts the lifetime of that browser window being open.

If you let me know what lang your backend is in, I could point you to a
reference to do this. eg.

PHP - <http://au.php.net/setcookie> Django -
[http://docs.djangoproject.com/en/dev/topics/http/sessions/#s...](http://docs.djangoproject.com/en/dev/topics/http/sessions/#setting-
test-cookies)

~~~
yassersouri
I know that but what is in that cookie? P.S: I use PHP

~~~
bl4k
Set the userid in the cookie, and set the lifetime to be 10 years (or
whatever) into the future. In your app you then check if that cookie exists,
and if it does look up the user id and log them in automatically.

The other way to do it is to use the existing session support. If the
'remember me' box is checked, you change the session so that instead of it
expiring at the end of the browser session, it expires way into the future.

ie. your login script probably looks like this:

    
    
      session_start();
      $username = filter_func($_POST['username']);
      $password = filter_func($_POST['password']);
      $user = $db->query('select userid from users where username = ? and password = ?', $username, $password);
      if($user) {
        //user is logged in
        $_SESSION['loggedin'] = true;
      } else {
        // show login page with error
      }
    

you need to change it to:

    
    
      $username = filter_func($_POST['username']);
      $password = filter_func($_POST['password']);
      $remember = (bool) $_POST['rememberme'];
      $user = $db->query('select userid from users where username = ? and password = ?', $username, $password);
      if($user) {
        //user is logged in
        if($remember) {
          $lifetime = 10 * 365 * 24 * 60 * 60;
          session_set_cookie_params(time() + $lifetime);
        }
        session_start();
        $_SESSION['loggedin'] = true;
      } else {
        // show login page with error
      }
    

the key function is session_set_cookie_params() which will let you alter the
cookie that the session store uses prior to seeting it:

<http://php.net/session_set_cookie_params>

note: that you need to call it before you call session_start(). $lifetime just
calculates the number of seconds in 10 years, and the time set is time() (ie.
now) plus the number of seconds in 10 years.

note: filter_func is a function that you write that will filter input
variables, and $db is whatever your db class or access method is.

note: you also need to filter $_SESSION. most devs have a class that they wrap
$_SESSION in rather than using it directly.

~~~
yassersouri
thank you. But this totally lacks security. What if someone steals the cookie?

~~~
bl4k
you are screwed either way. that is what Firesheep does

the solution is to use SSL and set the secure flag on the cookie

~~~
yassersouri
I mean what if some one steals your cookie from your machine and copies it to
his machine, this way he can login as you. I feel there is a way to prevent
this, but I have no idea

~~~
bl4k
no way to prevent it, just the way it works. there you are relying on local
machine security and the user not keeping themselves logged in, etc.

do use SSL, though

------
singer
You could store an encrypted username and password, or a session id if you
don't want to store the username and password locally. Storing the password
locally is not the best idea, but it's easier than tracking a session id.

[http://fishbowl.pastiche.org/2004/01/19/persistent_login_coo...](http://fishbowl.pastiche.org/2004/01/19/persistent_login_cookie_best_practice)

[http://jaspan.com/improved_persistent_login_cookie_best_prac...](http://jaspan.com/improved_persistent_login_cookie_best_practice)

------
RiderOfGiraffes
Whatever they would normally type to login, take it all and hash it together.
So, for example, hash together their username and password, then store that in
a cookie on the users machine.

When they connect, retrieve that cookie (if it exists) and map it to their
account.

