PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Dec 11, 2017 8:27 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 7 posts ] 
Author Message
PostPosted: Thu Oct 12, 2017 5:20 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 178
Php Masters!

Every php persistent cookie tutorial I come across always save the user's password onto the user's hdd. To make things worst. Save it on the hdd without encrypting it.
Now, I thought it would be best if the cookie got named under the user's computer mach address and the mach address got saved in the db.
Then, when the user loads the login page, the cookie can check it's cookie name against the db and if there is a match then auto log the user into his/her account.
But, now I read, it is not possible to acquire the user's mach address unless uservon same lan of my webserver.

Q1a. So, what else can act as a substitute for the mach address ? What else can php grab from the user's computer which it can use as a reference against the Username to identify that it is the same user ?
IPs change. No good using that.

Q1b. How-about the user's computer name ? Can it grab that from the user's computer so it can use that as the mach substitute or use that as the cookie name ?

Q1c. Or maybe I just get the script to name the cookie in this format:

username-ip

And make that cookie available as long as the user has not got his/her ip changed.
That way, when the user loads the login page whilst the ip hasn't changed, the cookie can check it's cookie name (username-ip) against the db and if there is a match then auto log the user into his/her account. What do you think ?
Can you guys show me how to do this by editing my code ?
I have been googling all night and reading whatever I find on the subject. But, I am still stuck and need to see some code samples to clear the confusion.

Syntax: [ Download ] [ Hide ]
    <?php
    session_start();
    if(!empty($_POST["login"])) {
            $conn = mysqli_connect("localhost", "root", "", "blog_samples");
            $sql = "Select * from members where member_name = '" .
    $_POST["member_name"] . "' and member_password = '" .
    md5($_POST["member_password"]) . "'";
            $result = mysqli_query($conn,$sql);
            $user = mysqli_fetch_array($result);
            if($user) {
                            $_SESSION["member_id"]                 = $user["member_id"];
                       
                            if(!empty($_POST["remember"])) {
                                    setcookie ("member_login",$_POST["member_name"],time()+ (10
    * 365 * 24 * 60 * 60));
                                    setcookie
    ("member_password",$_POST["member_password"],time()+ (10 * 365 * 24 * 60 * 60));
                            } else {
                                    if(isset($_COOKIE["member_login"])) {
                                            setcookie ("member_login","");
                                    }
                                    if(isset($_COOKIE["member_password"])) {
                                            setcookie ("member_password","");
                                    }
                            }
            } else {
                    $message = "Invalid Login";
            }
    }
    ?> 
    <style>
        #frmLogin {
                padding: 20px 60px;
                background: #B6E0FF;
                color: #555;
                display: inline-block;         
                border-radius: 4px;
        }
        .field-group {
                margin-top:15px;
        }
        .input-field {
                padding: 8px;
                width: 200px;
                border: #A3C3E7 1px solid;
                border-radius: 4px;
        }
        .form-submit-button {
                background: #65C370;
                border: 0;
                padding: 8px 20px;
                border-radius: 4px;
                color: #FFF;
                text-transform: uppercase;
        }
        .member-dashboard {
                padding: 40px;
                background: #D2EDD5;
                color: #555;
                border-radius: 4px;
                display: inline-block;
        }
        .member-dashboard a {
                color: #09F;
                text-decoration:none;
        }
        .error-message {
                text-align:center;
                color:#FF0000;
        }
</style>

    <?php if(empty($_SESSION["member_id"])) { ?>
    <form action="" method="post" id="frmLogin">
        <div class="error-message"><?php if(isset($message)) { echo $message; } ?>
    </div>     
            <div class="field-group">
                    <div><label for="login">Username</label></div>
                    <div><input name="member_name" type="text" value="<?php
    if(isset($_COOKIE["member_login"])) { echo $_COOKIE["member_login"]; } ?>"
    class="input-field">
            </div>
            <div class="field-group">
                    <div><label for="password">Password</label></div>
                    <div><input name="member_password" type="password" value="<?php
    if(isset($_COOKIE["member_password"])) { echo $_COOKIE["member_password"]; }
    ?>" class="input-field">
            </div>
            <div class="field-group">
                    <div><input type="checkbox" name="remember" id="remember" <?php
    if(isset($_COOKIE["member_login"])) { ?> checked <?php } ?> />
                    <label for="remember-me">Remember me</label>
            </div>
            <div class="field-group">
                    <div><input type="submit" name="login" value="Login" class="form-
    submit-button"></span></div>
            </div>      
    </form>
    <?php } else { ?>
    <div class="member-dashboard">You have Successfully logged in!. <a
    href="logout.php">Logout</a></div>
    <?php } ?>


Q1d. What do you think about this unique idea ? Let me know if the idea is flawed or not.
During registration, the system would ask the user to upload any img.
During persistent cookie checking (meaning, when the user has loaded the login.php or home.php), the user would be shown a list of imgs to select. If he/she selects the right one they uploaded during registration then the system (cookie) would auto log them in.
Alternatively, the user can be shown a question and a few answer options in a checkbox or dynamic drop down ui that list the correct answer aswell as the incorrect answers. If the user selects the correct answer from the answering options then the user is auto logged in. Clicking the mouse is simpler than typing the username & password. And so, this little id check won't bother the user that much. Would it bother you, as a user ?

Alternatively, the user can be shown a list of imgs where an img can be of his/her family member (eg, brother, uncle) and a question that asks "what is this person top you ?" and show a few answer options in a checkbox such as:
1. Brother;
2. Uncle;
3. Friend;

etc. If the user selects the right answer then he/she is auto logged in. Else not.
If you like any of the ideas mentioned in Q1d, then how-about editing my code and showing us newbies a sample code on how to achieve the one you liked ?

Thanks!


Top
 Profile  
 
PostPosted: Thu Oct 12, 2017 5:34 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6402
Location: Montreal, Canada
Don't store the user's password anywhere, ever. Why does their cookie need to contain their credentials at all? Once they log in, you can assign some arbitrary token to their cookie and keep track of what that means in your database. As for your question idea, I feel like that would compromise your account integrity. Many people will know your uncle's name or answers to basic questions.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Sat Oct 14, 2017 5:35 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 178
Celauran wrote:
Don't store the user's password anywhere, ever. Why does their cookie need to contain their credentials at all? Once they log in, you can assign some arbitrary token to their cookie and keep track of what that means in your database. As for your question idea, I feel like that would compromise your account integrity. Many people will know your uncle's name or answers to basic questions.


Thank you. That was a worthy feed-back.
However, do you mind showing me an example of how to write the code to fetch the token from the user's hdd ? Because, If I do not know how to write code to do the fetching then I won;t know what the token is to check against the db. I know how to query the db, though.

While going through many tutorials that keep showing to write the Username & Password on the user's hdd, I grabbed thesee code. I do understand what they mean.

Code:
<?php
// Setting a cookie
setcookie("username", "John Carter", time()+30*24*60*60);
?>


Code:
<?php
// Verifying whether a cookie is set or not
if(isset($_COOKIE["username"])){
    echo "Hi " . $_COOKIE["username"];
} else{
    echo "Welcome Guest!";
}
?>


Code:
Print Cookie on Screen
<?php
print_r($_COOKIE);
?>


Code:
<?php
// Deleting a cookie
setcookie("username", "", time()-3600);
?>


I am thinking of doing it like this ...
I set the cookie's partial name with my site so it would be easy for the code to search for the cookie in the user's hdd by doing a search on the partial name (my site name). Else, the code won't know what keywords to search for when searching for the cookie in the user's hdd.
Imagine my site is: mysite.com.
Now, I can use this to set the cookie:

Code:
<?php
// Setting a cookie
setcookie("mysite.com", "token-blah-blah-blah", time()+30*24*60*60);
?>


Then, when the user loads login.php or home.php, I can probably use this code to check whether the cookie & it's token exists or not:

Code:
<?php
// Verifying whether a cookie is set or not
if(isset($_COOKIE["mysite.com"])){
//HERE I NEED TO WRITE CODE FOR THE SCRIPT TO GRAB THE TOKEN in order to do a db search for it. How to write that part of the code to grab the token ?
}
?>


Top
 Profile  
 
PostPosted: Sat Oct 14, 2017 8:36 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6402
Location: Montreal, Canada
UniqueIdeaMan wrote:
However, do you mind showing me an example of how to write the code to fetch the token from the user's hdd ?

For fairly obvious security reasons, you do not have access to the file systems of your visitors. Store the token in your database.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Sat Oct 14, 2017 8:39 am 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6402
Location: Montreal, Canada
UniqueIdeaMan wrote:
I am thinking of doing it like this ...
I set the cookie's partial name with my site so it would be easy for the code to search for the cookie in the user's hdd by doing a search on the partial name (my site name). Else, the code won't know what keywords to search for when searching for the cookie in the user's hdd.
Imagine my site is: mysite.com.
Now, I can use this to set the cookie:

Code:
<?php
// Setting a cookie
setcookie("mysite.com", "token-blah-blah-blah", time()+30*24*60*60);
?>


Then, when the user loads login.php or home.php, I can probably use this code to check whether the cookie & it's token exists or not:

Code:
<?php
// Verifying whether a cookie is set or not
if(isset($_COOKIE["mysite.com"])){
//HERE I NEED TO WRITE CODE FOR THE SCRIPT TO GRAB THE TOKEN in order to do a db search for it. How to write that part of the code to grab the token ?
}
?>

That is the part that fetches the cookie. You just read in the value and query your database for a match.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Fri Oct 20, 2017 6:03 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 178
Thanks Celeraun.


Top
 Profile  
 
PostPosted: Sat Oct 21, 2017 2:18 pm 
Offline
Forum Contributor

Joined: Fri Sep 05, 2008 3:34 pm
Posts: 491
Location: Victoria, BC
you should use a salted hash value in a cookie to identify a user, this way its secure'

_________________
Hardcore Games Legendary is the Only Way to Play!
Vegan Advocate 16 lbs grain to make only 1 lb meat, water for 6 months of showers and 34.1 lbs carbon dioxide
My sites are made with WordPress, which is a content management system, Joomla and Drupal are some alternatives


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 7 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Bing [Bot], Majestic-12 [Bot] and 16 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group