Login

plonknimbuzz · (This post was last modified: 01-18-2018, 12:42 PM by plonknimbuzz.)

version: 3.1.7
my config

PHP Code:
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 0; //default never expire 

my login check function

PHP Code:
if($remember != 1)
{
    $this->session->sess_expire_on_close = TRUE; //idk if this work or not
    $this->session->sess_expiration = 7200;
}
$this->session->set_userdata('logged_in', 1); //this is the indicator if user logged in or not 

all my page have this script at they constructor

PHP Code:
public function __construct(){
    if($this->session->userdata('logged_in') != 1)
    redirect('login');
} 

i always using that script to implement remember me in codeigniter.

But when i read the docs: https://www.codeigniter.com/user_guide/l...references
i realize that i did wrong implementation.
Because $this->session->sess_expiration is method to change global config session expiration time.
This means, when 1 user not check remember me checkbox. any user that already logged in and checked remember me before, will be logout too in 2 hours later. CMIIW

so i googling the solution again and found 2 way:
1. using cookie : https://stackoverflow.com/questions/3984...on-library

Code:
$cookie = array(

    'name'   => 'remember_me_token',

    'value'  => 'Random string',

    'expire' => '1209600',  // Two weeks

    'domain' => '.your_domain.com',

    'path'   => '/'

);

set_cookie($cookie);

since i dont want to use cookie, so i ignore this

2. using session
exactly same as i did before.
but when i read the docs, i know that this will not work

then i read all session doc and i found tempdata : https://www.codeigniter.com/user_guide/l...l#tempdata

so now my script login will be like this:

PHP Code:
$this->session->set_userdata('logged_in', 1);
if($remember != 1){
    $this->session->mark_as_temp('logged_in', 7200);
} 

what i do:
- set session logged_in = 1 when user and pass match
- if remember me not checked, mark session logged_in as temp that will destory in 7200 sec later

my question: is this the right way to implement remember me using session in CI ?

Paradinight · 01-18-2018, 12:49 PM

(01-18-2018, 12:39 PM)plonknimbuzz Wrote: version: 3.1.7
my config

PHP Code:
$config['sess_cookie_name'] = 'ci_session'; $config['sess_expiration'] = 0; //default never expire

my login check function

PHP Code:
if($remember != 1) { $this->session->sess_expire_on_close = TRUE; //idk if this work or not $this->session->sess_expiration = 7200; } $this->session->set_userdata('logged_in', 1); //this is the indicator if user logged in or not

all my page have this script at they constructor

PHP Code:
public function __construct(){ if($this->session->userdata('logged_in') != 1) redirect('login'); }

i always using that script to implement remember me in codeigniter.

But when i read the docs: https://www.codeigniter.com/user_guide/l...references
i realize that i did wrong implementation.
Because $this->session->sess_expiration is method to change global config session expiration time.
This means, when 1 user not check remember me checkbox. any user that already logged in and checked remember me before, will be logout too in 2 hours later. CMIIW

so i googling the solution again and found 2 way:
1. using cookie : https://stackoverflow.com/questions/3984...on-library

Code:
$cookie = array( 'name' => 'remember_me_token', 'value' => 'Random string', 'expire' => '1209600', // Two weeks 'domain' => '.your_domain.com', 'path' => '/' ); set_cookie($cookie);

since i dont want to use cookie, so i ignore this

2. using session
exactly same as i did before.
but when i read the docs, i know that this will not work

then i read all session doc and i found tempdata : https://www.codeigniter.com/user_guide/l...l#tempdata

so now my script login will be like this:

PHP Code:
$this->session->set_userdata('logged_in', 1); if($remember != 1){ $this->session->mark_as_temp('logged_in', 7200); }

what i do:
- set session logged_in = 1 when user and pass match
- if remember me not checked, mark session logged_in as temp that will destory in 7200 sec later

my question: is this the right way to implement remember me using session in CI ?

Read:
https://stackoverflow.com/questions/3128...r-30135526
https://paragonie.com/blog/2015/04/secur...#title.2.1

PaulD · (This post was last modified: 01-18-2018, 01:01 PM by PaulD.)

I use IonAuth so all that stuff is done for me by the generous author.

However, as far as I understand it, you set a cookie (quite separate from the session cookie) like in your example 1, but you set the cookie to never expire (2 weeks makes no sense) and for any page load, if the current session (whether it is set to expire in 1 hour, or more, or whatever, it makes no difference) is not a logged in user, you check for the existence of the remember_me cookie. If it is found the code in it is matched against a user, and if matched, you log in the user (setting whatever session variables you use for your login) (after checking the user is not banned or membership expired etc) and the users page load shows him/her already logged in and recognised. Even if they used a deep link to something inside the site, they should get logged in automatically. This means you need to use a pre-controller hook so that any controller called runs the check. Are they logged in? No. Have they got a remember_me cookie set? Yes. Does it match a current user? Yes. Log them in and continue.

Hope that helps. I am sure like all things there are lots of ways of doing this.

Paul.

PS Just to add to the complication, if the remember me cookie for a particular ip address does not match a user, you need to log that, or delete the remember me cookie, or do a timeout before they can try again. Otherwise I could just keep trying remember me codes until I found one that worked. I am by no means a security person, hence I use well tested and tried libraries by people that have thought this all through with a better understanding of security issues surrounding authentication.

plonknimbuzz · 01-18-2018, 01:47 PM

(01-18-2018, 12:58 PM)PaulD Wrote: However, as far as I understand it, you set a cookie (quite separate from the session cookie) like in your example 1, but you set the cookie to never expire (2 weeks makes no sense) and for any page load, if the current session (whether it is set to expire in 1 hour, or more, or whatever, it makes no difference) is not a logged in user, you check for the existence of the remember_me cookie. If it is found the code in it is matched against a user, and if matched, you log in the user (setting whatever session variables you use for your login) (after checking the user is not banned or membership expired etc) and the users page load shows him/her already logged in and recognised. Even if they used a deep link to something inside the site, they should get logged in automatically. This means you need to use a pre-controller hook so that any controller called runs the check. Are they logged in? No. Have they got a remember_me cookie set? Yes. Does it match a current user? Yes. Log them in and continue.

Hi paul,
thanks for your reply. thats really helpfull.
i will try that.

and i will learn about ionAuth later. (nice library)

InsiteFX · 01-18-2018, 10:46 PM

Read this article:

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)

Login
Username:
Password:	Lost Password?
	Remember me