| CodeIgniter 3 - How to "Remember me" session |
|
Hello,
I'm trying to create a "Remember me" session (that lasts for 1 week) using the new CI Session. My configs are: PHP Code: ...And my controller, login method: PHP Code: ...When i check the cookie after the login, it's showing 1 week time to expiration, but in the next session regenerate (60 secs for testing) became 1 day expiration again. There's a simple way to do that? I don't want to use 3rd auth/session libs, like Ion or Community. Thanks
You're setting a cookie with the same name as your session cookie independently of your session, so the behavior you're seeing is what you should expect, if you really think about it. You can't just extend the life of your session by setting a new cookie with a longer lifetime that just happens to have your session data in it. Set a cookie with a different name or increase the expiration time on your session.
However, there are a lot of pitfalls when implementing authentication, and the "Remember Me" checkbox on a login form is so dangerous that it is considered to be a security issue in some circumstances even when implemented correctly. It is very easy to implement it incorrectly, The following are good places to find information on the pitfalls of implementing your own authentication (and, hopefully, how to avoid them). Note that the first one is not necessarily "definitive", but it does contain a lot of good information backed up with links (including the second link I've included here): http://stackoverflow.com/questions/549/t...578#477578 https://paragonie.com/blog/2015/04/secur...ersistence https://www.owasp.org/index.php/Authenti...heat_Sheet
The way you're doing it is definitely not the right way, I would think that since the session ID regenerates, that wont work.
I also have been trying to find a half way decent way of accomplishing this. Quote:However, there are a lot of pitfalls when implementing authentication, and the "Remember Me" checkbox on a login form is so dangerous that it is considered to be a security issue in some circumstances even when implemented correctly. It is very easy to implement it incorrectly, I realize there are security pitfalls, however, im creating an app that others will download and setup in their own network. So I wanted to provide the functionality of a remember-me setting, and allow admins to enable/disable it globally. Do you know of a way to accomplish this? Would it be better to just see if the $remember_me was checked, if so, override the config setting sess_expiration with a longer expiration time? Something like the following.. PHP Code: <?phpI would think that might work, but let me know
You should be able to do this just by not using the name of the session cookie as the name of the "Remember Me" cookie when calling set_cookie():
PHP Code: $this->input->set_cookie(array(The "Remember Me" selection and the session are completely independent. The whole point of a "Remember Me" option is to keep someone logged in beyond the lifetime of the session. Usually you do this by generating a sufficiently random token and storing that token in both the cookie and the database. You would usually use a method similar to storing a password, in that the token stored in the database would be hashed, then you would compare the hash stored in the database with the value supplied by the cookie to authenticate the user. In most cases you also need to store an id or unique selector value in both the database and the cookie, so you can perform the database lookup on the id/selector. This usually means that you have to use some special character to separate the selector from the token in your value, use a fixed number of characters for the selector, or use two cookies. If the session is still active, they still have access to their session data, and that's completely independent of whether they're logged in to the site. If they have a valid "Remember Me" token set, they're still logged in to the site, and that's completely independent of whether they have an active session. If the session contains information specific to a given user (and an ID is stored in the session which can be used to identify that user), then you might choose to invalidate that session if the person is authenticated as a different user or if the person fails to authenticate as the user, as it indicates that something unusual is going on, like someone visiting your site from a shared computer (maybe they unchecked the "Remember Me" checkbox but forgot to log out and you prompted for a login for security purposes because they attempted to do something after a long period of inactivity).
If you do not know it, you can also store an array serialized into the cookie value.
What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
|
| Welcome Guest, Not a member yet? Register Sign In |
MENU
EXTRA MENU
ABOUT US
CodeIgniter is a powerful PHP framework with a very small footprint, built for developers who need a simple and elegant toolkit to create full-featured web applications.
