• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
how to implement remember me using session in CI?

#1
version: 3.1.7
my config
PHP Code:
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 0//default never expire 

my login check function
PHP Code:
if($remember != 1)
{
    
$this->session->sess_expire_on_close TRUE//idk if this work or not
    
$this->session->sess_expiration 7200;
}
$this->session->set_userdata('logged_in'1); //this is the indicator if user logged in or not 

all my page have this script at they constructor
PHP Code:
public function __construct(){
    if(
$this->session->userdata('logged_in') != 1)
    
redirect('login');


i always using that script to implement remember me in codeigniter.

But when i read the docs: https://www.codeigniter.com/user_guide/l...references
i realize that i did wrong implementation.
Because $this->session->sess_expiration is method to change global config session expiration time.
This means, when 1 user not check remember me checkbox. any user that already logged in and checked remember me before, will be logout too in 2 hours later. CMIIW

so i googling the solution again and found 2 way:
1. using cookie https://stackoverflow.com/questions/3984...on-library
Code:
$cookie = array(
   'name'   => 'remember_me_token',
   'value'  => 'Random string',
   'expire' => '1209600',  // Two weeks
   'domain' => '.your_domain.com',
   'path'   => '/'
);

set_cookie($cookie);


since i dont want to use cookie, so i ignore this

2. using session
exactly same as i did before.
but when i read the docs, i know that this will not work


then i read all session doc and i found tempdata : https://www.codeigniter.com/user_guide/l...l#tempdata

so now my script login will be like this:

PHP Code:
$this->session->set_userdata('logged_in'1);
if(
$remember != 1){
    
$this->session->mark_as_temp('logged_in'7200);


what i do:
- set session logged_in = 1 when user and pass match
- if remember me not checked, mark session logged_in as temp that will destory in 7200 sec later



my question: is this the right way to implement remember me using session in CI ?
Reply

#2
(01-18-2018, 12:39 PM)plonknimbuzz Wrote: version: 3.1.7
my config
PHP Code:
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 0//default never expire 

my login check function
PHP Code:
if($remember != 1)
{
 
$this->session->sess_expire_on_close TRUE//idk if this work or not
 
$this->session->sess_expiration 7200;
}
$this->session->set_userdata('logged_in'1); //this is the indicator if user logged in or not 

all my page have this script at they constructor
PHP Code:
public function __construct(){
 if(
$this->session->userdata('logged_in') != 1)
 
redirect('login');


i always using that script to implement remember me in codeigniter.

But when i read the docs: https://www.codeigniter.com/user_guide/l...references
i realize that i did wrong implementation.
Because $this->session->sess_expiration is method to change global config session expiration time.
This means, when 1 user not check remember me checkbox. any user that already logged in and checked remember me before, will be logout too in 2 hours later. CMIIW

so i googling the solution again and found 2 way:
1. using cookie https://stackoverflow.com/questions/3984...on-library
Code:
$cookie = array(
   'name'   => 'remember_me_token',
   'value'  => 'Random string',
   'expire' => '1209600',  // Two weeks
   'domain' => '.your_domain.com',
   'path'   => '/'
);

set_cookie($cookie);


since i dont want to use cookie, so i ignore this

2. using session
exactly same as i did before.
but when i read the docs, i know that this will not work


then i read all session doc and i found tempdata : https://www.codeigniter.com/user_guide/l...l#tempdata

so now my script login will be like this:

PHP Code:
$this->session->set_userdata('logged_in'1);
if(
$remember != 1){
 
$this->session->mark_as_temp('logged_in'7200);


what i do:
- set session logged_in = 1 when user and pass match
- if remember me not checked, mark session logged_in as temp that will destory in 7200 sec later



my question: is this the right way to implement remember me using session in CI ?

Read:
https://stackoverflow.com/questions/3128...r-30135526
https://paragonie.com/blog/2015/04/secur...#title.2.1
Reply

#3
I use IonAuth so all that stuff is done for me by the generous author.

However, as far as I understand it, you set a cookie (quite separate from the session cookie) like in your example 1, but you set the cookie to never expire (2 weeks makes no sense) and for any page load, if the current session (whether it is set to expire in 1 hour, or more, or whatever, it makes no difference) is not a logged in user, you check for the existence of the remember_me cookie. If it is found the code in it is matched against a user, and if matched, you log in the user (setting whatever session variables you use for your login) (after checking the user is not banned or membership expired etc) and the users page load shows him/her already logged in and recognised. Even if they used a deep link to something inside the site, they should get logged in automatically. This means you need to use a pre-controller hook so that any controller called runs the check. Are they logged in? No. Have they got a remember_me cookie set? Yes. Does it match a current user? Yes. Log them in and continue.

Hope that helps. I am sure like all things there are lots of ways of doing this.

Paul.

PS Just to add to the complication, if the remember me cookie for a particular ip address does not match a user, you need to log that, or delete the remember me cookie, or do a timeout before they can try again. Otherwise I could just keep trying remember me codes until I found one that worked. I am by no means a security person, hence I use well tested and tried libraries by people that have thought this all through with a better understanding of security issues surrounding authentication.
Reply

#4
(01-18-2018, 12:58 PM)PaulD Wrote: However, as far as I understand it, you set a cookie (quite separate from the session cookie) like in your example 1, but you set the cookie to never expire (2 weeks makes no sense) and for any page load, if the current session (whether it is set to expire in 1 hour, or more, or whatever, it makes no difference) is not a logged in user, you check for the existence of the remember_me cookie. If it is found the code in it is matched against a user, and if matched, you log in the user (setting whatever session variables you use for your login) (after checking the user is not banned or membership expired etc) and the users page load shows him/her already logged in and recognised. Even if they used a deep link to something inside the site, they should get logged in automatically. This means you need to use a pre-controller hook so that any controller called runs the check. Are they logged in? No. Have they got a remember_me cookie set? Yes. Does it match a current user? Yes. Log them in and continue.

Hi paul, 
thanks for your reply. thats really helpfull.
i will try that.

and i will learn about ionAuth later. (nice library)
Reply

#5
Read this article:

Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies)
What did you Try? What did you Get? What did you Expect?

Joined CodeIgniter Community 2009.  ( Skype: insitfx )
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.