The hard way to write persistent logins:
First create a secret salt:
// For SHA1 hashes
define('SECRET_SALT', 'SHA1 a seekrit salt...');
Then, look for a previous authentication ticket:
// First, check to see if there's an authentication ticket
if($authticket = sha1($_COOKIE['upauth'])) {
$sql = "SELECT * FROM user WHERE authticket = '$authticket'";
$result = mysql_query($sql) or die("Failed query: " . mysql_error());
if($row = mysql_fetch_assoc($result)) {
if($authticket == $row['authticket']) {
// Welcome Back
$_SESSION['username'] = $row['username'];
$_SESSION['password'] = $row['password'];
return 1;
}
}
}
Set the authentication ticket in the login check:
if($_POST['remember']) {
$authticket = sha1(SECRET_SALT . $_SESSION['user_id'] . time());
$sha1ticket = sha1($authticket);
// Update SHA1 of authticket
$sql = "UPDATE user SET authticket ='$sha1ticket' WHERE id = {$row['id']}";
$result = mysql_query($sql) or die("Failed query: " . mysql_error());
// set authticket in upauth cookie for a year
setcookie('upauth', $authticket, time() + 31556926);
}
Add the ticket removal code to logout:
// remove upauth cookie
setcookie('upauth', '', time() - 86400);
Note: if you want to make sure that the ticket expiry hasn’t been tampered with, you’re going to need to digitally sign or store the expiration date in the database.
Now, the easy way for permanent logins:
$session_expire = 60 * 60 * 24 * 365;
ini_alter("session.gc_maxlifetime", $session_expire);
ini_alter("session.cookie_lifetime", $session_expire);
I can’t really see anything wrong with this approach actually… Makes your session id’s a bit more exposed (Also, you don’t have a choice for one-time logins, you just have to remember to log out). Not sure how running the ini_alter() affects performance.