I am not going to post any code here, I will just briefly write down the concept of implementing this for any website. I use to work in PHP, but you should be able to use this for any website.
What is remember me login?
If you don´t know this, this post probably won´t interest you But okay: When you login to a website, sometimes there is a checkbox below the login form that says “remember me”. Tick it and next time you won´t have to login again, because the website recognizes you, it remebered you.
Basic ingredients of a remember me script
So lets say we have the following
- A website, programmed in some server side scripting language, like PHP.
- The website supports cookies and user login.
- A database, like MySQL.
So now, when a user wants to be remembered, we have the following situations to think about and implement:
- User ticks the remember me box, and needs to be remembered.
- User comes back when his normal log in session is expired. Due to his remember me request he wants to enter the website without having to enter his information.
- A user might want to destroy his remember me information explicitly, when on a public computer, or when someone else needs to login on his computer.
So here is how you can implement these things. As a non-functional requirement, I would like to add that it would be great if the user´s cookie is not too easily stolen. This is not very easy, but we can add some trick, so that when the user´s cookie is stolen, the window of using it is quite small. If it would be absolutely disastrous for your web application if a user´s login was stolen, then don´t implement remember me functionality.
Step 1: Remembering the user
So the user ticks the box. What do we do?
- Create a combination of an session ID and a login token. Use random numbers for this or whatever, preferably big enough to withstand brute force attacks. Make it random enough not to have any patterns.
- Store a hash of the cookie token, together with the session id in a databse table. Why a hash? If someone gets access to your database data, which in itself would be already be quite worrying, they could use the tokens to log into all the accounts of your site. The session ID should relate to the user id of course, to know who is logging in. Also, multiple rows should be allowed for the same user, the user might want to store his login on multiple machines.
- Store the token and session id in a cookie of the user´s machine.
Step 2: User comes back, website should recognize the user
- Your script checks if the user has a “recognize me cookie”.
- If so, check the session ID and the token in there, and lookup a row with the session ID and a hashed version of the token.
- If it is found, set the user as a logged in session. Destroy the old cookie and the corrsponding row in the database. Create a new remember me row and cookie like in step 1, with completely new ID´s. This tightens the window that a stolen cookie could be used, because now the stolen´s cookie would not be valid anymore (unless the hacker logs in first, now your cookie won´t be valid anymore).
- A failed remember me could either mean that the hacker has tried to use the stolen cookie too late, that the valid user has logged in after the hacker, or that the user has explicitly erased all remember me sessions from the admin. In the former two cases, it might be desirable to prompt the user to change his password (which action should delete all remember me sessions from the database).
This is just a conceptual summary of the concept, using this should get you on your way to build a remember-me system for the users of your web application.