PHP OOP Login/Register System: Remember me (Part 19/23)

A few notes:

Performance:
If you reverse the two checks performed in core/init.php at #14:55 (so first you check whether no session_name is set and _then_ you check whether the cookie_name is set) you avoid the superfluous check if a cookie is set if you are already logged in. This is achieved due to PHP's lazy evaluation. You can verify this by generating some output in the exists() methods of the Cookie and Session classes. You will then see that no cookie checks are performed when you are logged in.

Security:
The __construct() method of the User class is still lacking a mechanism for logging a user out when no credentials were found (see the "// process logout" placeholder).

Security:
No additional checks besides checking the (hash of the) "remember me" cookie are performed. If your site is somehow vulnerable to the insertion of JavaScript it will become quite easy to steal the hash. You might want to consider adding extra security like an IP-check so that not just everyone can use this hash. This (the IP-check) is by no means waterproof and in some cases also not practical, but it introduces another hurdle one must take to breach security.

Usability:
When logging in through the "remember me" cookie the expiry date is not updated. You might want to consider doing this.

fml

For anyone who is having an issue where either A) Nothing is being added to the databse and/or B) Hash isn't showing up in the console, make sure you didn't miss 1:38 where Alex adds $remember to $login.

kevinb

the delete didn't work until I found out/remembered that, unlike 'SELECT *',  'DELETE' takes no asterisk *

public function delete($table, $where) {
     return $this->action('DELETE', $table, $where);
}
 2 hours to find the asterisk :O 

scleija

this is one of the best tutorial series for php on youtube!

rsdntevl

Hopefully this helps someone, but my users_session table wasn't storing my data because the structure of my "hash" column had a varchar(50), which was too short. i changed it to varchar(150)

SereneAttraction

I had to see this video 4 times before I understood the concept. Love the videos and can’t wait to implement the OOP concept into my own website.

SajidLatifDK

I was really tripping out over the hash not inserting into mysql (for remember me), so I paused the video and totally went through everything... Once I gave up and pressed play, I realized, OH! It's the insert function in the DB class file lol. Good thing you found it! This is why I test everything on the way, just like you do. Thanks!

JamesAutoDude

Yes Alex. You will always be public function remembered() as the guy who taught us all php oop.

architwahi

I wanted to get knee deep into OOP... Check! I really like the speed of your tutorials, thanks a lot!

stanbekker

This man is like 'god'..Thank You very Much Sir.

rodrickngonyoku

For anyone following this guide and wondering why nothing is being inserted into the database go to your DB.php and in the insert function change the line that goes:

$sql = "INSERT INTO users (`" . implode('`, `', $keys) . "`) VALUES({$values})";

to this:

$sql = "INSERT INTO {$table} (`" . implode('`, `', $keys) . "`) VALUES({$values})";

daixso

for anyone watching this recently, if there's a problem with the hash not generating try changing the checkbox value to something else.

i changed my checkbox value and the $remember = (Input::get('remember') === 'on') ? true : false; (1:34) to 1 and my hash is generated.

tomsan

Make sure to check if the cookie in the browser actually gets deleted!
I noticed it did not work so I'm not sure if it's outdated but here is how I got it to work:
setcookie($name, '', time() - 3600, '/');
it had something to do with the path or some other shit, hope it helped.

bog_w

why dont you use just : return isset($_COOKIE[$name]); ?

mannyplayer

U guys are amazing; love from germany :)

fanreymysterio

For those who's having a problem adding checkbox, add value="on" in the html login page. otherwise it's always return bool(false) even when checked the remember me button.

rozaimizamahri

Thank you Alex, that 'DELETE *' thing got me. Removing the * did the trick when the hash won't get deleted from the DB. haha

joaquin

You can get developer tools in chrome to change cookies.

stokescomp

26:58 what if user erases manually all sessions & cookies in the browser? Old hash still stays in users sessions database. Maybe eventual old hash should be erased when logging in. 23:00

Tuttigiu

isset() itself returns true/false no need to use ternary, excellent series Alex :)

OMFG