How is "remember me" functionality implemented in famous websites?

1 points by yassersouri ↗ HN
I want to implement a login system of my website. I want to know how can I implement a "remember me" functionality. I've read about this on the web, but I want to know how this is implemented by the big guys like Google, Facebook or Amazon.

10 comments

[ 0.27 ms ] story [ 36.7 ms ] thread
They simply set a second cookie ID with a much longer expiration.

With most webapp frameworks, the default cookie that is set for session management only lasts the lifetime of that browser window being open.

If you let me know what lang your backend is in, I could point you to a reference to do this. eg.

PHP - http://au.php.net/setcookie Django - http://docs.djangoproject.com/en/dev/topics/http/sessions/#s...

I know that but what is in that cookie? P.S: I use PHP
(comment deleted)
Set the userid in the cookie, and set the lifetime to be 10 years (or whatever) into the future. In your app you then check if that cookie exists, and if it does look up the user id and log them in automatically.

The other way to do it is to use the existing session support. If the 'remember me' box is checked, you change the session so that instead of it expiring at the end of the browser session, it expires way into the future.

ie. your login script probably looks like this:

  session_start();
  $username = filter_func($_POST['username']);
  $password = filter_func($_POST['password']);
  $user = $db->query('select userid from users where username = ? and password = ?', $username, $password);
  if($user) {
    //user is logged in
    $_SESSION['loggedin'] = true;
  } else {
    // show login page with error
  }
you need to change it to:

  $username = filter_func($_POST['username']);
  $password = filter_func($_POST['password']);
  $remember = (bool) $_POST['rememberme'];
  $user = $db->query('select userid from users where username = ? and password = ?', $username, $password);
  if($user) {
    //user is logged in
    if($remember) {
      $lifetime = 10 * 365 * 24 * 60 * 60;
      session_set_cookie_params(time() + $lifetime);
    }
    session_start();
    $_SESSION['loggedin'] = true;
  } else {
    // show login page with error
  }
the key function is session_set_cookie_params() which will let you alter the cookie that the session store uses prior to seeting it:

http://php.net/session_set_cookie_params

note: that you need to call it before you call session_start(). $lifetime just calculates the number of seconds in 10 years, and the time set is time() (ie. now) plus the number of seconds in 10 years.

note: filter_func is a function that you write that will filter input variables, and $db is whatever your db class or access method is.

note: you also need to filter $_SESSION. most devs have a class that they wrap $_SESSION in rather than using it directly.

thank you. But this totally lacks security. What if someone steals the cookie?
you are screwed either way. that is what Firesheep does

the solution is to use SSL and set the secure flag on the cookie

I mean what if some one steals your cookie from your machine and copies it to his machine, this way he can login as you. I feel there is a way to prevent this, but I have no idea
no way to prevent it, just the way it works. there you are relying on local machine security and the user not keeping themselves logged in, etc.

do use SSL, though

Whatever they would normally type to login, take it all and hash it together. So, for example, hash together their username and password, then store that in a cookie on the users machine.

When they connect, retrieve that cookie (if it exists) and map it to their account.