Database setup for a simple login and registration page in terms of having a "remember me" function

I'm not sure how to setup my database to have a "Remember me" function in order to handle bypassing login. I know you use a cookie with a encoded string and other stuff but the database setup itself is a bit odd. I'm using a Postgres database and so far here are the fields I thought of...
user_id AUTOINCREMENT INTEGER
email TEXT NOT NULL
password TEXT NOT NULL
date_added DATETIME
is_admin BOOLEAN
user_id AUTOINCREMENT INTEGER
email TEXT NOT NULL
password TEXT NOT NULL
date_added DATETIME
is_admin BOOLEAN
I'm thinking I'll need either a separate table for generating a token for a Remember Me function or as an additional field in this User table. Not sure since I've never implemented one before. Any suggestions would be great! Thanks!
17 Replies
MD
MDOP9mo ago
so far im thinking I either add a user_token field to users table or a separate table with user_id being the foreign key and that table is for user tokens with a field to handle expiring and such
Jochem
Jochem9mo ago
If you'll only ever have a single instance, you should put it on the user table. If you'll have multiple concurrently valid tokens, it needs to be its own table. That's the real thing to worry about that said, for basic logins that don't require high security, I always just handle "remember me" by setting the expiration on the login cookie higher
MD
MDOP9mo ago
I think for something this scale not being hosted and just a practice for skill concepts maybe adding that field to the user table is best?
Jochem
Jochem9mo ago
whatever mechanism you use to be logged in now probably has an expiration, you can just set that higher or have it persist past a browser session, and use that instead of storing stuff in the database
MD
MDOP9mo ago
i may do test cases with extra user accounts and I will probably have an admin account practice making too
Jochem
Jochem9mo ago
I'm not talking about multiple accounts, but multiple valid sessions for a single account the choice for separate table or new columns is "will there ever be more than one of these per row?" It's a one-to-one or one-to-many question, and very little else until you start talking about table optimization or lots of data stored for one record, neither of which you should worry about
MD
MDOP9mo ago
in this case just a single user page routed by id so nothing too fancy probably just a single session at most once they hit logout the cookie stays for some expiration time. It's really just for practicing handling authenitication as an isolated problem instead in a bigger project to get comfortable with it I think in this case just a single instance because I wont be able to use mutiple users and the user will just go to a page and log out now do you delete the cookie if the user logs out themselves then make them resign or do you still allow remember me to function?
Jochem
Jochem9mo ago
It has nothing to do with concurrent different users though. The only consideration is whether for each user you need to store one value or more than one Delete the cookie, manual log out needs to be permanent Remember me just let's your session persist longer, that's all it's supposed to do
MD
MDOP9mo ago
I think I get it im just a bit new. do you have an example of how this works? I know in my case when they successfully log in they just go to their page they wont be accessing other pages since theres only login and registration. When it comes to values how does that work? I'm just new to this content to understand it this is one example i found of implementation for it and used a different table
MD
MDOP9mo ago
PHP
PHP Tutorial
How to Implement Remember Me in PHP Securely
In this tutorial, you'll learn to securely implement the remember me feature in PHP.
Jochem
Jochem9mo ago
So wait you log in but when you refresh, you're logged back out?
MD
MDOP9mo ago
it shouldnt in my case only destory session if you user logs out themselves or closes the browser
Jochem
Jochem9mo ago
You're using session_start or whatever it is to log in then?
MD
MDOP9mo ago
yeah start the session after successful login
Jochem
Jochem9mo ago
It takes arguments to have the session work past closing the browser. That's how you use remember me with sessions
MD
MDOP9mo ago
now that you mention it ive never even used session_start before looking over my older php projects i might have to refresh my knowledge on sessions
Jochem
Jochem9mo ago
https://www.php.net/manual/en/session.configuration.php especially starting here https://www.php.net/manual/en/session.configuration.php#ini.session.use-cookies the lifetime is 0 when you don't check remember me so it expires with the browser closing, then something higher when you do check it so it persists once you have a bunch of users, you'll also have to look into session.gc_* to make it so that your sessions aren't prematurely garbage collected, but that's not really something you have to worry about until it happens and even then the worst case is that remember me will stop working and people get logged out after a few hours
Want results from more Discord servers?
Add your server