'Remember Me' login |
[eluser]codec_frequency[/eluser]
How do you implement this in CI ? I've searched around the forum and found nothing helpful so far, point me out if there is already a topic discussing this. Thanks in advance.
[eluser]dmorin[/eluser]
Authentication is difficult to do correctly and securely. Most of the time, rolling your own should be discouraged unless you have studied a few good solutions. That said, this is a pretty good paper about secure cookie handling: http://www.cse.msu.edu/~alexliu/publicat...cookie.pdf The point is, it's not a CI thing since CI doesn't have a native auth library. So do you need to know how to implement a idea you already have in php, or do you just need to know the theory behind long-term logins?
[eluser]Colin Williams[/eluser]
The way the CI session class works, every login you do will act like Remember Me, because the session won't be destroyed when the site is exited.
[eluser]dmorin[/eluser]
@Colin Only if you set the sess_expiration config item to 0. By default it's set to 2 hours so sessions will be deleted after that time.
[eluser]codec_frequency[/eluser]
[quote author="Colin Williams" date="1231388885"]The way the CI session class works, every login you do will act like Remember Me, because the session won't be destroyed when the site is exited.[/quote] Is this true ? Then all I need is to provide a different value to compare the session expiration time (other than $config['session_expiration']) for the 'Remember Me' case, right ? Is there a way to do this ? One way I could think of, would be add 'expiration_time' column to CI session table (I'm storing session in DB), and modify the Session class to have it compare 'last_activity' with its corresponding 'expiration_time' value, this way each session could have its own expiration time. I'm don't know whether it's possible.. maybe it's not a good idea. Another way would be to utilize set_cookie(), following the guideline from Persistent login cookie : Best practice and/or the link dmorin posted. Or is there already an authentication library dealing with this ? I've checked Redux, Erkana and FreakAuth so far with no result (something I missed ?). How do people deal with this previously ? edit : Thanks for the responses so far.
[eluser]Colin Williams[/eluser]
Quote:@Colin Only if you set the sess_expiration config item to 0. By default it’s set to 2 hours so sessions will be deleted after that time. Right. Then you are saying, "Remember me for 2 hours." You could make it two weeks like a lot of sites do if you want. I don't see any reason to allow the user to set this option. That's an old school feature you really only ever see on old forum software.
[eluser]Sarfaraz Momin[/eluser]
Check dx auth library. I think it takes care of the issue u mentioned. The config file has the DX_autologin_cookie_life which can be set to anything and it does not takes the default value of $config[‘session_expiration’]. Hope it helps. Its an awesome library. Have a good day !!!
[eluser]codec_frequency[/eluser]
[quote author="Sarfaraz Momin" date="1231480476"]Check dx auth library. I think it takes care of the issue u mentioned. The config file has the DX_autologin_cookie_life which can be set to anything and it does not takes the default value of $config[‘session_expiration’]. Hope it helps. Its an awesome library. Have a good day !!![/quote] this is indeed a good library. I wonder why it isn't listed in the wiki. Thanks for pointing that out, will look at it further. |
Welcome Guest, Not a member yet? Register Sign In |