Session Handling
Moderator: General Moderators
- tecktalkcm0391
- DevNet Resident
- Posts: 1030
- Joined: Fri May 26, 2006 9:25 am
- Location: Florida
Session Handling
I am having a problem keeping users logged in. I was wondering about: session.gc_maxlifetime. Could I just use that to set the life time to something to keep them logged in forever or what? See I am trying to do the remember me thing, and I am getting so confused.
As astions alluded to, this is normally referred to as a 'persistent login'.
If you haven't already, I strongly recommend picking up Chris Shiflett's book Essential PHP Security.
Some guidelines (paraphrasing Shiflett from his book):
If you haven't already, I strongly recommend picking up Chris Shiflett's book Essential PHP Security.
Some guidelines (paraphrasing Shiflett from his book):
- Force the cookie to expire within a reasonable time frame, eg. a week
- Create a new cookie upon successful login (every time)
- If the user is a frequenter, create a new cookie upon successful validation of said cookie to give the user the appearance of an 'indefinite login'
- View the cookie as a 'remember me' only for 'public events', and not for changing passwords, personal information, etc. Always force a relogin or force password validation prior to allowing the user access to 'sensitive info'