Here are the steps:
1 – You need to add a field to your login form, preferably a checkbox and name it “remember” (or whatever).
2 – We need a way of recognizing users computer, to do this you will need to add an extra field to your user table and name it something like “token”:
ALTER TABLE YOUR_USER_TABLE ADD token VARCHAR(40);
ALTER TABLE YOUR_USER_TABLE ADD INDEX(token);
(We need the index for fast lookup)
You will also need another column to save the user agent:
ALTER TABLE YOUR_USER_TABLE ADD user_sig VARCHAR(40);
This is for security. (I will explain this in a little bit)
3 – We will also have to save a cookie on users computer; after you logged the user in successfully you will need something like this in your login script:
if (LOGIN_VALID()) {
/* Log user in here first */
if (isset($_POST['remember'])) {
$token = md5(str_shuffle('ABCDEFGHIJKLMNOPQRSTUVWXYZ'));
$user_sig = md5('SOME SECRET SEED' .$_SERVER['HTTP_USER_AGENT']);
mysql_query("UPDATE YOUR_USER_TABLE SET token = '$token', user_sig = '$user_sig' WHERE USER_ID_FIELD = USERS_ID");
$cookie_name = 'A SHORT NAME FOR THE COOKIE';
$cookie_value = $token;
$cookie_expire = time() + 60 * 60 * 24 * 30 * 12 * 10; /* Approx 10 years */
$cookie_path = '/';
$cookie_domain = $_SERVER['SERVER_NAME']; /* If this didn't work, put your domain name here */
setcookie($cookie_name, $cookie_value, $cookie_expire, $cookie_path, $cookie_domain);
}
}What this does is that it generates a token to be saved on user’s computer as a cookie, and also for security reasons, it generates a request signature out of user’s browser user agent and saves them both in your database.
It also sets a cookie on user’s computer with the token only.
4 – Now you will need to place something like this in your main include file:
if (!isset($_SESSION['valid_user']) && isset($_COOKIE['A SHORT NAME FOR THE COOKIE']) && trim($_COOKIE['A SHORT NAME FOR THE COOKIE']) != '') {
$token = mysql_real_escape_string($_COOKIE['A SHORT NAME FOR THE COOKIE']);
$user_result = mysql_query("SELECT * FROM YOUR_USER_TABLE WHERE token <> '' AND token = '$token'");
if ($user_result && mysql_num_rows(user_result) > 0) {
$user = mysql_fetch_assoc($user_result);
if ($user['user_sig'] == md5('SOME SECRET SEED' .$_SERVER['HTTP_USER_AGENT'])) {
/* Go ahead and log the user in again */
$_SESSION['valid_user'] = $user;
session_regenerate_id(); /* Always good idea */
}
}
}This script will check and see if the user is already logged in and if he/she is already logged in then it won’t go through all the trouble to log the user in again.
It also checks for existence of the cookie you saved on users computer before.
If all the conditions are true then the script will checks the token and user’s signature and if everything matches, it will log the user in.
5 – There is also one last step: Clean up. In your *logout* script, place:
$cookie_name = 'A SHORT NAME FOR THE COOKIE';
$cookie_value = '';
$cookie_expire = time() - 60 * 60 * 24 * 30 * 12 * 10; /* Approx 10 years ago */
$cookie_path = '/';
$cookie_domain = $_SERVER['SERVER_NAME']; /* If this didn't work, put your domain name here */
setcookie($cookie_name, $cookie_value, $cookie_expire, $cookie_path, $cookie_domain);This will delete the cookie from user’s computer when the user logs out.
If you don’t do this, your application will keep logging the user in even after he/she logs out.
The same concept will work in other languages.
Also this script only relies on the user agent to double check everything, you might want to take extra security measures…
I hope this helps someone 
Adding Auto Login (Remember Me) Capability to Your Applications
Back To Top
Back To Previous Page
Author Bio
Hamid Alipour is a partner in Codehead, LLP with his wife, Tess. Hamid speaks 12 markup and programming languages [Yes, 12: PHP, CSS, Ajax, JavaScript, HTML/XHTML, Java, Python, C/C++, ASP, Visual Basic, Scheme and Action Script]; has a penchant for solving the unsolvable; an affinity for clean, hand-written code and is a Zend Certified 
Services
Blog
Tools
About
Contact
Blog Home