Welcome Guest, Not a member yet? Register   Sign In
Auto Login in / remember me function


If I have a login page which also has an remember me checkbox, what would be best practice to save the user data on a secure way which will auto login/remember the user the next time he visits the site.

It could be either done by Sessions cookies or by custom cookies. With a Session I can have a boolean data value named is_logged_in and if it's true it will automatically log in. Also if the users checks remember me, the session time will be upgraded like mentioned in this post:

Or i can do it with cookies, like mentioned in this post:

So i wanted to ask, what do you guys think. Which approach for auto login/remember me would be best practise and secure.

Thank you.

I would prefer the first method mentioned in the post. Nothing insecure about it and personally i would have used it.

(This post was last modified: 01-25-2015, 02:00 PM by ivantcholakov. Edit Reason: A typo )

I've seen readings in Internet that reject "Remember Me" as an anti-pattern, don't remember where, you may search. For an administration panel "Remember Me" I would not use for sure. If you intend to use "Remember Me" on the front-end, make sure somehow that the front-end and the back-end use sessions with different names.

I saw this library first: https://github.com/jenssegers/codeignite...on-library and this article: http://jenssegers.be/blog/12/codeigniter...ibrary-1-3

There some readings are mentioned:


And at the end I came to my implementation of the "Remember Me" feature, maybe I am not pointing at all the necessary files:


The authetication model (or library if it is implemented so) should track how an user has logged in. In case of autologin, before making some critical operations (password change, account deletion, payment, etc.) the user should be forced to login truly.

It is funny what amount of work creates just one additional check-box within the login form.

Offtopic: I had no an occasion yet, but I think, such and enforcement for true login before critical operations is good to be applied in cases of external authentications - through Facebook, OpenId, etc.

(This post was last modified: 01-26-2015, 02:51 AM by stopz.)

I would save a cookie like
remember = 'HyWE32' //expires next week

And then have mysql table with
remember_id[VARCHAR(6)], user_id[INT], expires[DATETIME]

And onVisit i would see if cookie remember exists in db, if it does then extend cookie and mysql by 1 week, else delete cookie and leave not logged in.

To make it more secure you might add IP to your mysql db table and check if cookie is or was not stolen to be accessed but this may cause issues with Dynamic IPs of your visitors.

// Don't blame for simplicity it's just one way to do this >)

Theme © iAndrew 2016 - Forum software by © MyBB