+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forumdisplay.php?fid=5)
+--- Forum: General Help (https://forum.codeigniter.com/forumdisplay.php?fid=24)
+--- Thread: Overriding Session Expiration? (/showthread.php?tid=72963)
Overriding Session Expiration? - Haravikk - 03-06-2019
So I'm working with a site that has "unlimited" (very long expiration time) sessions so that a user doesn't have to keep logging in all the time, however this isn't really ideal if a user uses an insecure (e.g- shared) system, as they'll stay logged in.
What I'd like to do is add a "Keep me logged in" checkbox on the login page so that I can have default behaviour with a short (or on close) expiration time, and then override that with the much longer expiration time (or the other way around, if easier).
Now I know how I'd do this if I was using PHP's session functions directly, but is there a proper way to do this with CodeIgniter's session class? Also if there is an easier way to do this on CodeIgniter 4 do let me know; I hadn't intended to upgrade just yet (too much other stuff still to get done) but I can move it forward if it will make this easier to implement.
Thanks!
RE: Overriding Session Expiration? - muuucho - 03-07-2019
Ion_Auth comes with "Remember me" functionality. You can limit the time to be remembered in the config file ion_auth.php
http://benedmunds.com/ion_auth/
RE: Overriding Session Expiration? - Haravikk - 03-07-2019
(03-07-2019, 02:33 AM)muuucho Wrote: Ion_Auth comes with "Remember me" functionality. You can limit the time to be remembered in the config file ion_auth.phpThanks for letting me know about this! Unfortunately it looks like they're doing this by setting their own, separate cookie with a separate table (or table fields) to handle what is essentially an additional session cookie, which is a bit disappointing, as it means essentially implementing my own parallel session cookies.
http://benedmunds.com/ion_auth/
I've been looking more at the problem and one other possible alternative might be to set CodeIgniter's session cookies to something sufficiently high (e.g- a month, with regeneration enabled), then if the user doesn't ask to be remembered, set an earlier expiration time in the user data. This means I'll still need to add some kind of code to all controllers (via inheritance) to check this expiration time, so that sessions that have expired this way can be cleared and redirected to a login page.
It's still not ideal though, as really what I want to do is have the cookie expire on close by default, and set a time if the user asks to be remembered. Both options involve a lot of working around CodeIgniter's session class.
Are there any other alternative ways to do this?