Welcome Guest, Not a member yet? Register   Sign In
Example of Remember Me Function?
#1

[eluser]Corey Freeman[/eluser]
Me again. From looking around, I know I need a cookie, and that's about all I figured out. I have a working login script, but I need to know how to integrate a remember me function. Any way it could be dumbed down for someone new to this stuff?
#2

[eluser]bretticus[/eluser]
Here's the basic use case:

Login
User fills out username and password text fields.
User checks "remember me" checkbox.
On successful authentication (username and password match in database)...
Set a cookie using instructions from CI manual for 30 days (or whatever you feel is adequate.) The cookie must contain a user id or some other way to identify the user.

In your function that checks if a user is logged in, also check for this cookie (you might want to encypt or hash something in the cookie that can validate the cookie's validity, but not required.) If the cookie is present, allow the user access (or set the session variables that indicate a user is logged in.)

Have fun!
#3

[eluser]Corey Freeman[/eluser]
What would getting the cookie look like? Do I just retrieve it and pass that info into the session, or do I actually need some form of the user's ID?
#4

[eluser]WanWizard[/eluser]
Note that whatever you do with the content of the cookie, it is a security risk.
If I can obtain this cookie, I can use it to craft my own cookie and use it as login credential to gain access to your account.

If you want this feature, it is a lot easier and safer to extend the lifespan of the session cookie, and just use the regular way of authenticating page requests, via the session_id and the user data that is stored server side in the session table. To login and out, do not destroy the session, but simply delete the user information from the session when the user logs out.

BTW, this is more secure because by default the session library validates user agent and IP as well, and rotates the session_id every 300 seconds. This means that the session hijacking window is limited between PC's that share the same user agent and IP, and it has to be done within 300 seconds max. There is no user data stored in the cookie (encrypted or not).
#5

[eluser]CoderReborn[/eluser]
@WanWizard - what's the best way to extend the lifespan of the session cookie?
#6

[eluser]WanWizard[/eluser]
Set the desired session expiration time in the config.

I have a default expiration in the config file. I use a modified version of the session library, that only does one session update, at the end of each page request. By that time, I know the user, and the user expiration preference (a sort of dynamic remember me), and I use that to modify the sess_expiration of the session. When the session is updated, the cookie is written with the proper expiration time.




Theme © iAndrew 2016 - Forum software by © MyBB