'Remember Me' login in CodeIgniter

[eluser]Mowgli[/eluser]
Hello,

I already spent a few hours digging and trying to get this work but without any luck.

Based on codeigniter's config I can either destroy the session when I close the browser or I can keep the session active for a specific number of hours/days but I've couldn't find a way to let the registered user choose between these two options (by using a checkbox or something).

Any help would be much appreciated. Thanks in advance.

[eluser]jblack199[/eluser]
same way as normal... #1, you'd use sessions as standard and destroy the session on browser close.. if they hit the 'remember me' box, you are no longer using sessions you're using a cookie that then correlates to their account information somehow so that when the page loads, you take the information in the cookie and query the DB to get whatever information you need and create the new session.

[eluser]Mowgli[/eluser]
Thanks for the answer. But would it be safer to store the password in a cookie ?

[eluser]jblack199[/eluser]
if your password is md5, then yeah you could store the password in the cookie for the 'remember' me.. but problem with that is, if [email protected] has password of password -- and [email protected] also has password of password you would have mixed data...

So for the remember me, it'd be better of storing the username (maybe md5 encrypted) or the user_id itself which is just a number.. so you can check and see if they are coming back and if they are returning after selecting 'remember me', you would run a query to get all their user information into a new session...

[eluser]bretticus[/eluser]
You can also use CI encryption (same thing that CI uses to encrypt it's session cookies.) Here's some of my code from a library I wrote a few years ago.

Code:

$value = $this->ci->encrypt->encode(implode('|', array(
                                                                $user_id,
                                                                $password,
                                                                $this->get_salt()
                                                            )
            ));
            set_cookie('auth_token', $value, $this->auth_cookie_expire);

I encoded the password just to nullify the cookie if my users change their passwords. I also included some salt (random text) just to make the encryption a bit more effective. auth_cookie_expire is just a class property to store how long the cookie lives for. You could encode that into your cookie also to make sure that the expiration times agree.

Hashing with md5/sha1 is more secure than my method (because it is one-way encryption or non-reversible) but this method lets me store stuff in the cookie that gives me more options.

[eluser]jblack199[/eluser]
I actually like your way better than even md5. Using md5 encryption in it, while nice for being able to save the password... your way make it easier to store absolutely everything in one go which gives the programmer the option of checking the username/password as well as if the account has been banned or suspended or deleted, etc.. as well as a lot of other things possible..

very nice i like it...

[eluser]bretticus[/eluser]
[quote author="jblack199" date="1313638934"]
very nice i like it...[/quote]

Thanks!

[eluser]Mowgli[/eluser]
@guys: thanks for your suggestions, I really appreciate.

@jblack199: you suggested that I could use the id. What if someone decide to edit the cookie and try different id-s, he might end up being logged in as the administrator itself, without using any pass and that's bad. On the other hand you're right about md5 password being risky. Perhaps I could use a randomly generated string instead (when the first session is being created) and store that string into the db and the cookie... just an idea.

@bretticus: that's an interesting approach, i might give it a try. Thank you.

I have one more question that might sound a bit dumber. Which is the most appropriate file/library/function where I should place the code that reads from the cookie? I mean I want to read it once (and create the session from it) when I access the website from a random page. Rather then placing the same piece of code for every page that needs authorization. Thanks again.

[eluser]bretticus[/eluser]
Keep in mind that you can also encrypt a hashed version of the password (sha1 and md5) and then encrypt it (I might actually be doing this) so you just compare hashes but never ever have the password un-hashed in your cookie. Then you simply check for the hashed password in the database that corresponds with the user id stored in the decrypted cookie.

[eluser]bretticus[/eluser]
[quote author="Mowgli" date="1313641549"]Which is the most appropriate file/library/function where I should place the code that reads from the cookie? I mean I want to read it once (and create the session from it) when I access the website from a random page. Rather then placing the same piece of code for every page that needs authorization. Thanks again.[/quote]

You can create a class that extends CI_Controller (or use a MY_Controller if you want the whole website to have access to authentication.) A more modular approach is to write a authentication class as a library that you use when you need it (or even autoload it.) Alternately, you could use it as a model. Really, it's up to you!