+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=11)
+--- Thread: how to implement remember me using session in CI? (/showthread.php?tid=69797)
how to implement remember me using session in CI? - plonknimbuzz - 01-18-2018
version: 3.1.7
my config
PHP Code:
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 0; //default never expire
my login check function
PHP Code:
if($remember != 1)
{
$this->session->sess_expire_on_close = TRUE; //idk if this work or not
$this->session->sess_expiration = 7200;
}
$this->session->set_userdata('logged_in', 1); //this is the indicator if user logged in or not
all my page have this script at they constructor
PHP Code:
public function __construct(){
if($this->session->userdata('logged_in') != 1)
redirect('login');
}
i always using that script to implement remember me in codeigniter.
But when i read the docs: https://www.codeigniter.com/user_guide/libraries/sessions.html#session-preferences
i realize that i did wrong implementation.
Because $this->session->sess_expiration is method to change global config session expiration time.
This means, when 1 user not check remember me checkbox. any user that already logged in and checked remember me before, will be logout too in 2 hours later. CMIIW
so i googling the solution again and found 2 way:
1. using cookie : https://stackoverflow.com/questions/3984313/how-to-create-remember-me-checkbox-using-codeigniter-session-library
Code:
$cookie = array(
'name' => 'remember_me_token',
'value' => 'Random string',
'expire' => '1209600', // Two weeks
'domain' => '.your_domain.com',
'path' => '/'
);
set_cookie($cookie);since i dont want to use cookie, so i ignore this
2. using session
exactly same as i did before.
but when i read the docs, i know that this will not work
then i read all session doc and i found tempdata : https://www.codeigniter.com/user_guide/libraries/sessions.html#tempdata
so now my script login will be like this:
PHP Code:
$this->session->set_userdata('logged_in', 1);
if($remember != 1){
$this->session->mark_as_temp('logged_in', 7200);
}
what i do:
- set session logged_in = 1 when user and pass match
- if remember me not checked, mark session logged_in as temp that will destory in 7200 sec later
my question: is this the right way to implement remember me using session in CI ?
RE: how to implement remember me using session in CI? - Paradinight - 01-18-2018
(01-18-2018, 12:39 PM)plonknimbuzz Wrote: version: 3.1.7
my config
PHP Code:$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 0; //default never expire
my login check function
PHP Code:if($remember != 1)
{
$this->session->sess_expire_on_close = TRUE; //idk if this work or not
$this->session->sess_expiration = 7200;
}
$this->session->set_userdata('logged_in', 1); //this is the indicator if user logged in or not
all my page have this script at they constructor
PHP Code:public function __construct(){
if($this->session->userdata('logged_in') != 1)
redirect('login');
}
i always using that script to implement remember me in codeigniter.
But when i read the docs: https://www.codeigniter.com/user_guide/libraries/sessions.html#session-preferences
i realize that i did wrong implementation.
Because $this->session->sess_expiration is method to change global config session expiration time.
This means, when 1 user not check remember me checkbox. any user that already logged in and checked remember me before, will be logout too in 2 hours later. CMIIW
so i googling the solution again and found 2 way:
1. using cookie : https://stackoverflow.com/questions/3984313/how-to-create-remember-me-checkbox-using-codeigniter-session-library
Code:$cookie = array(
'name' => 'remember_me_token',
'value' => 'Random string',
'expire' => '1209600', // Two weeks
'domain' => '.your_domain.com',
'path' => '/'
);
set_cookie($cookie);
since i dont want to use cookie, so i ignore this
2. using session
exactly same as i did before.
but when i read the docs, i know that this will not work
then i read all session doc and i found tempdata : https://www.codeigniter.com/user_guide/libraries/sessions.html#tempdata
so now my script login will be like this:
PHP Code:$this->session->set_userdata('logged_in', 1);
if($remember != 1){
$this->session->mark_as_temp('logged_in', 7200);
}
what i do:
- set session logged_in = 1 when user and pass match
- if remember me not checked, mark session logged_in as temp that will destory in 7200 sec later
my question: is this the right way to implement remember me using session in CI ?
Read:
https://stackoverflow.com/questions/3128985/php-login-system-remember-me-persistent-cookie#answer-30135526
https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2.1
RE: how to implement remember me using session in CI? - PaulD - 01-18-2018
I use IonAuth so all that stuff is done for me by the generous author.
However, as far as I understand it, you set a cookie (quite separate from the session cookie) like in your example 1, but you set the cookie to never expire (2 weeks makes no sense) and for any page load, if the current session (whether it is set to expire in 1 hour, or more, or whatever, it makes no difference) is not a logged in user, you check for the existence of the remember_me cookie. If it is found the code in it is matched against a user, and if matched, you log in the user (setting whatever session variables you use for your login) (after checking the user is not banned or membership expired etc) and the users page load shows him/her already logged in and recognised. Even if they used a deep link to something inside the site, they should get logged in automatically. This means you need to use a pre-controller hook so that any controller called runs the check. Are they logged in? No. Have they got a remember_me cookie set? Yes. Does it match a current user? Yes. Log them in and continue.
Hope that helps. I am sure like all things there are lots of ways of doing this.
Paul.
PS Just to add to the complication, if the remember me cookie for a particular ip address does not match a user, you need to log that, or delete the remember me cookie, or do a timeout before they can try again. Otherwise I could just keep trying remember me codes until I found one that worked. I am by no means a security person, hence I use well tested and tried libraries by people that have thought this all through with a better understanding of security issues surrounding authentication.
RE: how to implement remember me using session in CI? - plonknimbuzz - 01-18-2018
(01-18-2018, 12:58 PM)PaulD Wrote: However, as far as I understand it, you set a cookie (quite separate from the session cookie) like in your example 1, but you set the cookie to never expire (2 weeks makes no sense) and for any page load, if the current session (whether it is set to expire in 1 hour, or more, or whatever, it makes no difference) is not a logged in user, you check for the existence of the remember_me cookie. If it is found the code in it is matched against a user, and if matched, you log in the user (setting whatever session variables you use for your login) (after checking the user is not banned or membership expired etc) and the users page load shows him/her already logged in and recognised. Even if they used a deep link to something inside the site, they should get logged in automatically. This means you need to use a pre-controller hook so that any controller called runs the check. Are they logged in? No. Have they got a remember_me cookie set? Yes. Does it match a current user? Yes. Log them in and continue.
Hi paul,
thanks for your reply. thats really helpfull.
i will try that.
and i will learn about ionAuth later. (nice library)
RE: how to implement remember me using session in CI? - InsiteFX - 01-18-2018
Read this article:
Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)