I'm implementing a community website of my own in PHP. My system is a bit like PHP nuke, but custom tailored to my needs. What I would like to implement, is custom themes for each user, but it seems like that is pointless if you have to login everytime to see your custom theme, and so I would like to implement the popular "remember login" feature.

I'm wondering what is the simplest way to go about this. Perhaps by modifying the session cookie timeout (if so, how?). I'm also wondering if I am going to have to modify my database, or if I can just count on the user cookie to store his password, and automatically login everytime.

I also don't want to force all users to use this permanent login feature.

everything stays the same,

store ip - theme id and whenever a user goes on check that table.

I would separate that from user password and stuff..

If you do not care if people are not having coookies turned on (their problem attitude) then use cookies else use database.

Peace,

I would rather not modify the database at all.

Does it work like this: When the user logs on, if he has checked "remember login", the cookie is set to expire in one year?

And functions should I use?

I always thought of something like this:
if(isset($_COOKIE['login'])){ // is he logged in??
if(isset($_COOKIE['theme'])){ // has he chosen a theme??
$theme=$_COOKIE['theme']; //his theme
}
else{$theme='default'}
}
else{blah...}

Thats not really what I'm asking about.

Here are few functions from my user class


function makeUserHash ($uid){
$encrypted_data = gcrypt_encrypt ($uid , GUSER_HASH_SECRET ) ;
$encrypted_data = base64_encode($encrypted_data);
$encrypted_data = urlencode(substr($encrypted_data , 0 , strlen($encrypted_data ) - 1 ));
return $encrypted_data;
}

function revertUserHash($hash) {
$decrypted_data = base64_decode(urldecode($hash) . '=' ) ;
$decrypted_data = gcrypt_decrypt ($decrypted_data , GUSER_HASH_SECRET );
return $decrypted_data;
}

function hashLogin ($hash){
$uid = $this->revertUserHash($hash) ;
if ($uid) {
$query = "SELECT userid FROM users WHERE userid='".addslashes($uid)."' and status = '1' LIMIT 1 " ;
$res = mysql_query ($query ) ;
if (mysql_num_rows ($res) == 1 ) {
$this->user_id = $uid;
}
}
}


gcrypt_encrypt and gcrypt_decrypt function obviously encrypt and decrypt string and you can use your faworite 2 way encryption method there or some combination of them.

The hash that is created is big enough that would be impossible to guess it, so I just save it in a cookie, and every time page is visited I check for this cookie and automagicly log in user. This would be no good for banking site, but then again you would not want "remember login" on banking site eather.

Yes you would set it up for like a year or so (never expire)..

http://www.phpfreaks.com/tutorials/120/0.php

hope if helps,

Peace,

Originally posted by azizny
Yes you would set it up for like a year or so (never expire)..

hope if helps,

Peace,

Yes thats what I'm looking for... Let me see if I understand things right:

To do what I plan to do, I'm going to have to replace my session handling by cookies... And the $_COOKIE[] variable is a global, like $_SESSION[]... So I could basically use it the same way.

But what are the relevant function calls here. I guess I'm going to want to store a cookie on the client side for the user name and password, and set its lifetime for a year if the "remember login" function was checked. How do I do that? Also, if I don't set a lifetime, will the cookie just get destroyed when the browser closes? What happens if I resend a cookie, will it overwrite the previous one automatically?

use combination of cookies, session table and hashed value (not password) for example session id

It would be simpler if I can just use cookies.

Is there any way other webservers can retrieve cookies you store on a client?

Well, I got it working :)

Thank you people for your suggestions.