SOLVED -- simple solution to session expiration

[eluser]nuwanda[/eluser]
On a couple of threads...

http://ellislab.com/forums/viewthread/152877/

http://ellislab.com/forums/viewthread/109645/

...the discussion was about creating a true session expiration-on-close-browser and a quick way to check logged in status.

I'm very new to CI, but I've come up with this. I've tested it in all modern browsers and it works perfectly. Hope it's of help to someone. Thanks to those who replied on those other threads.

The code uses a remember_me cookie set on the basis of the remember_me checkbox in the login form. The login_helper checks the status of the remember_me cookie and the CI session cookie to work out if the user is logged in currently or is returning to the site and needs to be logged in. Simply setting the remember_me cookie to true is not enough. CI needs to have dropped a session cookie and the app needs to set it to logged_in=true. Logging out sets the remember_me cookie to zero and this deletes it when the browser closes.


First there's login validation in my user controller:

Code:

function validate()
    {
      $this->load->model('user_model');
        $query=$this->user_model->validate();
        
        if($query)//login valid
        {
          //set SESSION logged in to TRUE
          $session_data=array(
              'username'=>$this->input->post('username'),
                'logged_in'=>TRUE,
            );

            $this->session->set_userdata($session_data);
            
            if($this->input->post('remember_me'))
            {
                 //if remember me ticked, set cookie to PERSIST across visits                        
              $cookie = array(
          'name'   => 'remember_me',
          'value'  => 'persist',
          'expire' => 60*60*24*365//1 year
        );
          }
            else
            {
              //if remember me NOT ticked we still need to set the cookie
                //to CURRENT so that the helpers/login_helper function still returns TRUE
                //for the current visit
                //EXPIRE set to 0 so cookie will die at end of visit
              $cookie = array(
          'name'   => 'remember_me',
          'value'  => 'current',
          'expire' => 0
                );
            }

      set_cookie($cookie);
            
            redirect('user/login_success');
        }
        else//login invalid
        {
          $this->login();
        }

    }

function logout()
    {
      $this->session->unset_userdata('logged_in');

    $cookie = array(
      'name'   => 'remember_me',
      'value'  => FALSE,
      'expire' => 0
    );
    
    set_cookie($cookie);
        
        redirect('user/logout_success');        
    }

Then there's a tiny helper that is used to check login status. This is autoloaded and can be used anywhere to include discrete sections of code, html, etc.

Code:

function logged_in()
{
    $CI =&get;_instance();
        
        //if logged in but not having set remember me, cookie is set to current and will
        //expire when browser is closed -- FALSE will be returned on next visit
      if($CI->session->userdata('logged_in')==TRUE AND get_cookie('remember_me')=='current')
        {
           return TRUE;
        }        
        
        //if returning to site having set remember me
        if($CI->session->userdata('logged_in')==TRUE AND get_cookie('remember_me')=='persist')
        {
          return TRUE;
        }

        //if the user logged out then there will be no remember me cookie and we need to
        //return FALSE
    return FALSE;

}

[eluser]nuwanda[/eluser]
Ok, a glitch.

If you open multiple tabs in Firefox it will ask you if you want to save them before quitting--that's a feature that reopens those same tabs at your *next* startup. In that case, the cookie set to 'current' is still present when you restart.

This must be a FF glitch as all the documentation says the cookie should be deleted at browser close.

Any ideas?