CI session function how to "remember me" and is it security?

[eluser]Andychan[/eluser]
CI session function how to "remember me" and is it security?

Because I heard some people said, session is cookie only

so I'm worried about security problem.

and if it is cookies, can I set the sess_expiration over than one month?

Thanks for the help.

[eluser]boltsabre[/eluser]
You've some research to do on the topic Andychan.

By default CI sessions are stored as cookies (which live on the clients computer, thus are open to attack - although not wide wide open, especially if you encrypt them first, but still open). But you can set it up to store the sessions in a database instead, reducing this risk.

You can set a cookie to expire at any time you want, a minute, day, week, year, etc.

Adding 'remember me' always leaves you open to security problems, you'll have to do some research on this yourself and make a decision on if you want (or need) this functionality. You notice your online banking portal has no such functionality, and for very good reasons.

Try reading up on some things and then decide what path you want to take. Good luck.

[eluser]cideveloper[/eluser]
Take a look at how Ion Auth implements this functionality. Also take a look at Saving Session Data to a Database.

[eluser]InsiteFX[/eluser]
I ended up writing my own cookie methods to use for remember me.

InsiteFX