PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sat Aug 15, 2020 3:35 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Thu Oct 12, 2017 5:20 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
Php Masters!

Every php persistent cookie tutorial I come across always save the user's password onto the user's hdd. To make things worst. Save it on the hdd without encrypting it.
Now, I thought it would be best if the cookie got named under the user's computer mach address and the mach address got saved in the db.
Then, when the user loads the login page, the cookie can check it's cookie name against the db and if there is a match then auto log the user into his/her account.
But, now I read, it is not possible to acquire the user's mach address unless uservon same lan of my webserver.

Q1a. So, what else can act as a substitute for the mach address ? What else can php grab from the user's computer which it can use as a reference against the Username to identify that it is the same user ?
IPs change. No good using that.

Q1b. How-about the user's computer name ? Can it grab that from the user's computer so it can use that as the mach substitute or use that as the cookie name ?

Q1c. Or maybe I just get the script to name the cookie in this format:

username-ip

And make that cookie available as long as the user has not got his/her ip changed.
That way, when the user loads the login page whilst the ip hasn't changed, the cookie can check it's cookie name (username-ip) against the db and if there is a match then auto log the user into his/her account. What do you think ?
Can you guys show me how to do this by editing my code ?
I have been googling all night and reading whatever I find on the subject. But, I am still stuck and need to see some code samples to clear the confusion.

Syntax: [ Download ] [ Hide ]
    <?php
    session_start();
    if(!empty($_POST["login"])) {
            $conn = mysqli_connect("localhost", "root", "", "blog_samples");
            $sql = "Select * from members where member_name = '" .
    $_POST["member_name"] . "' and member_password = '" .
    md5($_POST["member_password"]) . "'";
            $result = mysqli_query($conn,$sql);
            $user = mysqli_fetch_array($result);
            if($user) {
                            $_SESSION["member_id"]                 = $user["member_id"];
                       
                            if(!empty($_POST["remember"])) {
                                    setcookie ("member_login",$_POST["member_name"],time()+ (10
    * 365 * 24 * 60 * 60));
                                    setcookie
    ("member_password",$_POST["member_password"],time()+ (10 * 365 * 24 * 60 * 60));
                            } else {
                                    if(isset($_COOKIE["member_login"])) {
                                            setcookie ("member_login","");
                                    }
                                    if(isset($_COOKIE["member_password"])) {
                                            setcookie ("member_password","");
                                    }
                            }
            } else {
                    $message = "Invalid Login";
            }
    }
    ?> 
    <style>
        #frmLogin {
                padding: 20px 60px;
                background: #B6E0FF;
                color: #555;
                display: inline-block;         
                border-radius: 4px;
        }
        .field-group {
                margin-top:15px;
        }
        .input-field {
                padding: 8px;
                width: 200px;
                border: #A3C3E7 1px solid;
                border-radius: 4px;
        }
        .form-submit-button {
                background: #65C370;
                border: 0;
                padding: 8px 20px;
                border-radius: 4px;
                color: #FFF;
                text-transform: uppercase;
        }
        .member-dashboard {
                padding: 40px;
                background: #D2EDD5;
                color: #555;
                border-radius: 4px;
                display: inline-block;
        }
        .member-dashboard a {
                color: #09F;
                text-decoration:none;
        }
        .error-message {
                text-align:center;
                color:#FF0000;
        }
</style>

    <?php if(empty($_SESSION["member_id"])) { ?>
    <form action="" method="post" id="frmLogin">
        <div class="error-message"><?php if(isset($message)) { echo $message; } ?>
    </div>     
            <div class="field-group">
                    <div><label for="login">Username</label></div>
                    <div><input name="member_name" type="text" value="<?php
    if(isset($_COOKIE["member_login"])) { echo $_COOKIE["member_login"]; } ?>"
    class="input-field">
            </div>
            <div class="field-group">
                    <div><label for="password">Password</label></div>
                    <div><input name="member_password" type="password" value="<?php
    if(isset($_COOKIE["member_password"])) { echo $_COOKIE["member_password"]; }
    ?>" class="input-field">
            </div>
            <div class="field-group">
                    <div><input type="checkbox" name="remember" id="remember" <?php
    if(isset($_COOKIE["member_login"])) { ?> checked <?php } ?> />
                    <label for="remember-me">Remember me</label>
            </div>
            <div class="field-group">
                    <div><input type="submit" name="login" value="Login" class="form-
    submit-button"></span></div>
            </div>      
    </form>
    <?php } else { ?>
    <div class="member-dashboard">You have Successfully logged in!. <a
    href="logout.php">Logout</a></div>
    <?php } ?>


Q1d. What do you think about this unique idea ? Let me know if the idea is flawed or not.
During registration, the system would ask the user to upload any img.
During persistent cookie checking (meaning, when the user has loaded the login.php or home.php), the user would be shown a list of imgs to select. If he/she selects the right one they uploaded during registration then the system (cookie) would auto log them in.
Alternatively, the user can be shown a question and a few answer options in a checkbox or dynamic drop down ui that list the correct answer aswell as the incorrect answers. If the user selects the correct answer from the answering options then the user is auto logged in. Clicking the mouse is simpler than typing the username & password. And so, this little id check won't bother the user that much. Would it bother you, as a user ?

Alternatively, the user can be shown a list of imgs where an img can be of his/her family member (eg, brother, uncle) and a question that asks "what is this person top you ?" and show a few answer options in a checkbox such as:
1. Brother;
2. Uncle;
3. Friend;

etc. If the user selects the right answer then he/she is auto logged in. Else not.
If you like any of the ideas mentioned in Q1d, then how-about editing my code and showing us newbies a sample code on how to achieve the one you liked ?

Thanks!


Top
 Profile  
 
PostPosted: Thu Oct 12, 2017 5:34 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
Don't store the user's password anywhere, ever. Why does their cookie need to contain their credentials at all? Once they log in, you can assign some arbitrary token to their cookie and keep track of what that means in your database. As for your question idea, I feel like that would compromise your account integrity. Many people will know your uncle's name or answers to basic questions.

_________________


Top
 Profile  
 
PostPosted: Sat Oct 14, 2017 5:35 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197


Top
 Profile  
 
PostPosted: Sat Oct 14, 2017 8:36 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada

_________________


Top
 Profile  
 
PostPosted: Sat Oct 14, 2017 8:39 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada

_________________


Top
 Profile  
 
PostPosted: Fri Oct 20, 2017 6:03 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
Thanks Celeraun.


Top
 Profile  
 
PostPosted: Sat Oct 21, 2017 2:18 pm 
Offline
Forum Regular
User avatar

Joined: Fri Sep 05, 2008 3:34 pm
Posts: 539
Location: Victoria, BC
you should use a salted hash value in a cookie to identify a user, this way its secure'


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 38 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group