PHP Autologin function to login script

Question

How would I implent an autologin feature to this script?

session_start();
$result = mysql_query(\"SELECT id FROM users 
                       WHERE username         


        

Answer 1

That is a very insecure method of having an auto-login. You should never store the password anywhere in plaintext.

A better strategy is as follows:

1. Present the normal login form, with a checkbox for "auto login".
   • If the auto login box is checked, then you verify their username and password normally. If this is successful, you can then set a special cookie for auto-logins.
   • Give the special cookie a name like 'autologin', and a value that contains their username, and a salted md5 hash of their user data. Something like "user=username&hash=123456xyz.etc".
   • When you see the user next time and want to auto-log-them-in, you check for this special cookie and verify its contents. Split off the username and hash, then fetch the account out of the database based on the username and re-do the md5 to compare to the cookie hash data. If it's valid, you can log them in (ie. start a new session).

Answer 2

First, you don't want to save the username and password to the cookie. That's a bad idea.

A simple method of thinking of this would be:

1) Create a new field in the users table that stores an MD5 hash. You can call it session_key.
2) When you submit the page, the script should do the following.

• Validate the username and password
• If it is a good username and password pair, check for the saveLogin variable
• If the saveLogin variable is set, generate an md5 and store that in the database. Also store that md5 in a cookie. Be sure the database table has a cookie-expires field as well.
• Build the session data that you need.
• Redirect to ./

3) On your ./ page, do the following:

• Check to see if the session still exists. If so, then render the page.
• If the session does not exist, check for the cookie.
• If the cookie exists, look up that session id in the database and be sure it hasn't expired. then build the session and render the page.

This should make your app a bit more secure. It may not be the best way of coding, but the concepts should give you an idea of how to make a fairly secure login page.

Answer 3

You should take their username, IP address, and some kind of hash (as zombat suggested), encrypt all of it (probably using Base64) and store the resulting string as their cookie. This way, someone can't spoof or steal the cookie, because even if they did, the decrypted IP address wouldn't match the IP address that the request was coming from. It's also better to use whitelists instead of dropping user input into a query.

So you'd get something like:

//First see if the auto-login cookie exists and is valid:

if($_COOKIE['autologin']) {
$users_query = "SELECT username FROM users WHERE last_login < SUBDATE(CURDATE(),30)";
$users_results = mysql_query($users_query);
while($row = mysql_fetch_assoc($users_result)) {
    $users = $row['username'];
}
$auto_cookie = $_COOKIE['autologin'];

$user_creds = explode("//", base64_decode($auto_cookie));

$user_name = $user_creds[0];
$user_IP = $user_creds[1];
$user_hash = $user_creds[2];

$username_check = (in_array($user_name, $users) ? true : false;
$userIP_check = ($user_IP = $_SERVER['REMOTE_ADDR']) ? true :false;

$so_far_so_good = ($username_check && $userIP_check) ? true : false;

if($so_far_so_good) {
$hash_query = "SELECT hash FROM userhash WHERE username = '$user_name'";
$hash_results = mysql_query($hash_query);
$all_clear = ($user_hash == mysql_result($hash_results,0)) ? true : false;
}

}

//Checks Login Data:
if($_POST) {
    $users_query = "SELECT username FROM users";
$users_results = mysql_query($users_query);
while($row = mysql_fetch_assoc($users_result)) {
    $users = $row['username'];
}

$username_check = (in_array($user_name, $users) ? true : false;

$password_check = password_check();
// I do not feel comfortable enough with encryption and authentication to suggest
// a method here. Suffice to say, you should have a strong password check system.

$all_clear = ($username_check && $password_check) ? true : false;

// You should only throw a log in error when they have attempted a login. Do not
// give hints at your authentication methods in auto-login section.

$set_cookie = ($all_clear && $_POST['set-auto']) ? true : false;
if($set_cookie) {
   $new_hash = hash_maker();
   // Again, look to the others for best hashing technique.
   $raw_cookie_data = $user_name . "//" . $_SERVER['REMOTE_ADDR'] . "//" . $new_hash;
   $enc_cookie_data = base64_encode($raw_cookie_data);
   setcookie("autologin", $enc_cookie_data, time()+3600);
    }
}

if($all_clear) {
   echo "Welcome Back!";
  }
 else {
    //print login form here...
 }

Answer 4

We can create auto login using cookies in php , this feature is required in case you want to create web view of your website , as mobile user don’t want to login every time they open your android app (web view of your web site. You can use the code below tom implement the auto-login on your php based website

<?php

session_start();

include(“connect.php”); // your mysql connect code

// code to read user name and password in cookies on client machine
if(isset($_COOKIE[“username”])) $email= $_COOKIE[“username”]; else $email=””;
if(isset($_COOKIE[“password”])) $pwd=$_COOKIE[“password”]; else $pwd=””;

// if cookies are set for login details then we compare the login details with database //and redirect the user directly to page after login so user is not required to input //login details and then  click on login button

if ($email!=””)
{
$sql= “select * from members where username='”.$email.”‘ and user_pwd='”.$pwd.”‘”;
$result = mysqli_query($con,$sql);
$row = mysqli_fetch_array($result);
$count = mysqli_num_rows($result);
if($count > 0 && $row[‘auto_login’]==1)
{

$_SESSION[‘uname’] = $email;
$_SESSION[‘uid’]=$row[‘id’];
setcookie (“username”,$email,time()+ 3600);
setcookie (“password”,$pwd,time()+ 3600);
header(‘Location:myhome.php’);
}
}
?>
<!DOCTYPE html>
<html lang=”en”>
<head>
<title>My Expense-Login</title>
<meta charset=”utf-8″>
<meta name=”viewport” content=”width=device-width, initial-scale=1″>
<link rel=”stylesheet” href=”https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/css/bootstrap.min.css”>
<script src=”https://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js”></script>
<script src=”https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.7/umd/popper.min.js”></script>
<script src=”https://maxcdn.bootstrapcdn.com/bootstrap/4.3.1/js/bootstrap.min.js”></script>
</head>
<body>
<?php include(“top-menu-login.php”); ?>
<div class=”container”>
<div class=”row”>

<div class=”col-md-3″></div>
<div class=”col-md-6″>
<h2 class=”text-center”>User Login</h2>

<div id=”message”></div>
<div class=”form-group”>
<label for=”email”>Email address:</label>

<!– here we check if cookies is set then auto fill the login details –>
<input type=”email” class=”form-control” id=”email” name=”email” value=”<?php if(isset($_COOKIE[“username”])) { echo $_COOKIE[“username”]; } ?>”>
</div>
<div class=”form-group”>
<label for=”pwd”>Password:</label>
<input type=”password” class=”form-control” id=”pwd” name=”pwd” value=”<?php if(isset($_COOKIE[“password”])) { echo $_COOKIE[“password”]; } ?>” >
</div>
<div class=”form-group ml-4″>
<label class=”form-check-label”>
<input class=”form-check-input” type=”checkbox” name=”remember” id=”remember” <?php if(isset($_COOKIE[“username”])) { echo “checked”; } ?>> Auto Login
</label>
<label class=”form-signup”>
<a href=”forgot-pass.php” class=”btn btn-light”> Forgot Passsword </a>
</label>
</div>
<button type=”button” class=”btn btn-primary” id=”btn-submit”>Submit</button>
<button type=”button” class=”btn btn-success” id=”btn-register”>Register</button>

</div>
<div class=”col-md-3″><br>

</div>
</div>
</div>
</body>
</html>