Everything has already been said and written about login and remember me. I’ve tried some different techniques and the best one seems to be “the clientside cookie”. Of course you cannot reveal the users password, but you have to store something else into the cookie.

So far I used a special cookie field for each user, which is a random md5 hash. If your visitor owns the ‘remember’ cookie, you just have to check: SELECT * FROM users WHERE cookie = ‘$_COOKIE[remember]‘.

When some users logs in with the ‘remember me’ checkbox checked, you have to write some random md5 hash into the cookie field and set a cookie with that value to the client’s browser.

What happens if some user wants to be remembered on more computers at the same time?

1. You can ignore it. Just write a new md5 hash every time and users won’t be remembered anywhere else.
2. Check if the cookie field exists and set it’s value to the cookie. If the field is empty you fill it first. You can fill it with some random hash also at the very creation of a new user…
3. You don’t need the cookie field in the database, just create a random value from the other data, for example md5($id . $username . $email . $datefield) and put it into the cookie! The database query should be slightly changed to: SELECT * FROM users WHERE MD5(CONCAT(id, username, email, datefield)) = ‘$_COOKIE[remember]‘.

Be sure to check and escape the $_COOKIE variable before inserting into the query to avoid the SQL injection attack! I wrote it into the query just to simplify this post.