'Remember Me' login

[eluser]codec_frequency[/eluser]
How do you implement this in CI ?

I've searched around the forum and found nothing helpful so far, point me out if there is already a topic discussing this. Thanks in advance.

[eluser]dmorin[/eluser]
Authentication is difficult to do correctly and securely. Most of the time, rolling your own should be discouraged unless you have studied a few good solutions.

That said, this is a pretty good paper about secure cookie handling: http://www.cse.msu.edu/~alexliu/publicat...cookie.pdf

The point is, it's not a CI thing since CI doesn't have a native auth library. So do you need to know how to implement a idea you already have in php, or do you just need to know the theory behind long-term logins?

[eluser]Adam Griffiths[/eluser]
Check out the wiki, it has some great libraries there.

[eluser]Colin Williams[/eluser]
The way the CI session class works, every login you do will act like Remember Me, because the session won't be destroyed when the site is exited.

[eluser]dmorin[/eluser]
@Colin Only if you set the sess_expiration config item to 0. By default it's set to 2 hours so sessions will be deleted after that time.

[eluser]codec_frequency[/eluser]
[quote author="Colin Williams" date="1231388885"]The way the CI session class works, every login you do will act like Remember Me, because the session won't be destroyed when the site is exited.[/quote]

Is this true ? Then all I need is to provide a different value to compare the session expiration time (other than $config['session_expiration']) for the 'Remember Me' case, right ? Is there a way to do this ? One way I could think of, would be add 'expiration_time' column to CI session table (I'm storing session in DB), and modify the Session class to have it compare 'last_activity' with its corresponding 'expiration_time' value, this way each session could have its own expiration time. I'm don't know whether it's possible.. maybe it's not a good idea.

Another way would be to utilize set_cookie(), following the guideline from Persistent login cookie : Best practice and/or the link dmorin posted.

Or is there already an authentication library dealing with this ? I've checked Redux, Erkana and FreakAuth so far with no result (something I missed ?).

How do people deal with this previously ?

edit : Thanks for the responses so far.

[eluser]Colin Williams[/eluser]

@Colin Only if you set the sess_expiration config item to 0. By default it’s set to 2 hours so sessions will be deleted after that time.

Right. Then you are saying, "Remember me for 2 hours." You could make it two weeks like a lot of sites do if you want. I don't see any reason to allow the user to set this option. That's an old school feature you really only ever see on old forum software.

[eluser]Sarfaraz Momin[/eluser]
Check dx auth library. I think it takes care of the issue u mentioned. The config file has the DX_autologin_cookie_life which can be set to anything and it does not takes the default value of $config[‘session_expiration’]. Hope it helps. Its an awesome library.

Have a good day !!!

[eluser]codec_frequency[/eluser]
[quote author="Sarfaraz Momin" date="1231480476"]Check dx auth library. I think it takes care of the issue u mentioned. The config file has the DX_autologin_cookie_life which can be set to anything and it does not takes the default value of $config[‘session_expiration’]. Hope it helps. Its an awesome library.

Have a good day !!![/quote]

this is indeed a good library. I wonder why it isn't listed in the wiki. Thanks for pointing that out, will look at it further.