remember_me.php

<?php
/*
 * PHP session (cookies) exist only until the device is shut down. In order for users to "stay" logged in after that,
 * another cookie is needed, which is stored beyond the the device shut down. The following code checks whether
 * this cookie exists and whether the user has shut down the device in the meantime. If so, it checks whether the cookie
 * value is associated with a user and if so, a new session cookie is created.
 *
 * TODO: The current implementation allows this functionality only for a maximum of one browser instance. If the user
 * logs in with another browser instance and shut down the device, the user is no longer logged in when
 * reopening the first browser instance and must log in again.
 */

// If the user isn't logged in but a session cookie exist
if(empty($_SESSION['user_id']) and isset($_COOKIE['session_id'])) {
    // Check whether the cookie value is associated with a user
    $query = "SELECT user_id, is_admin FROM public.user WHERE session_id = :session_id";
    $query_params = array(':session_id' => $_COOKIE['session_id']);
    try{
        $stmt = $pdo->prepare($query);
        $result = $stmt->execute($query_params);
    }catch(PDOException $ex){
        echo '<span style="color: red">ERROR! Code: 002</span>';
        exit;
    }
    $row = $stmt->fetch();

    if(empty($row)){
        // If not, remove the session cookie. It's an old persisted session ID and is no longer needed.
        unset($_COOKIE['session_id']);
        setcookie('session_id', "", time() - 1, '/chat/');
    } else {
        // If true, log the user in and
        session_start();
        $_SESSION['user_id'] = $row['user_id'];
        $_SESSION['is_admin'] = $row['is_admin'];
        // create a new persisted session id and cookie. This is to prevent cookie theft (so for security purposes).

        // Generate new session ids until a unique session id is generated
        while(1){
            $possible_session_id = bin2hex(openssl_random_pseudo_bytes(16));

            $query = "SELECT 1 FROM public.user WHERE session_id = :session_id";
            $query_params = array(':session_id' => $possible_session_id);
            try{
                $stmt = $pdo->prepare($query);
                $result = $stmt->execute($query_params);
            }catch(PDOException $ex){
                echo '<span style="color: red">ERROR! Code: 003</span>';
                exit;
            }
            $row = $stmt->fetch();

            // When no row was found with this session id
            if(empty($row)){
                // The session id is unique and the script must no longer generate new session ids
                $session_id = $possible_session_id;
                break;
            }
        }

        // Set the session id of the logged in user to the generated session id
        $query = "UPDATE public.user SET session_id = :session_id WHERE user_id = :user_id";
        $query_params = array(':session_id' => $session_id, ':user_id' => $_SESSION['user_id']);
        try{
            $stmt = $pdo->prepare($query);
            $result = $stmt->execute($query_params);
        }catch(PDOException $ex){
            echo '<span style="color: red">ERROR! Code: 004</span>';
            exit;
        }

        // Set the new session id as session variable and as value of the session cookie
        setcookie("session_id", $session_id, time()+259200, "/chat/");
    }
}
?>