What Does "remember me" Do and How Does it Work?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

What Does "remember me" Do and How Does it Work?

Post by Jonah Bron »

Okay, yes, I know this question sounds silly... but I'd like clarification on what the "remember me" option in a login forms does. Does it just store your username into a cookie and autofill it? Does it store your username and a salted hash of your password hash to automatically log you back in?

Thanks.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: What Does "remember me" Do and How Does it Work?

Post by Eran »

The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: What Does "remember me" Do and How Does it Work?

Post by matthijs »

Funny, I have wondered the same thing. Never understood what it did. Maybe because I almost never close my browser so I never noticed a difference.
User avatar
Robert Sinclair
Forum Newbie
Posts: 10
Joined: Sun Jan 30, 2011 10:58 pm

Re: What Does "remember me" Do and How Does it Work?

Post by Robert Sinclair »

Is there any way to use the Google Analytics persistent cookie for this purpose?
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by Darhazer »

Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
This requires the session data also to be set to expire in different type.
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: What Does "remember me" Do and How Does it Work?

Post by Eran »

This requires the session data also to be set to expire in different type.
What does that mean? it should expire as usual
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
You mean that's how you do it - the usual way I'm familiar with is the one I described
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by VladSun »

Darhazer wrote:
Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
This requires the session data also to be set to expire in different type.
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
Probably Eran uses the session Id as the "hash" you mentioned.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by Darhazer »

Eran wrote:
This requires the session data also to be set to expire in different type.
What does that mean? it should expire as usual
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
You mean that's how you do it - the usual way I'm familiar with is the one I described
I meant different time in the quoted sentense

If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.

so InvisionBoard for example generates 'member_login_key' and set this key in the cookie. when you load the page and there is no active session, but there is member_login_key, it tries to fetch a member with that key and initialize new member session
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: What Does "remember me" Do and How Does it Work?

Post by Jonah Bron »

matthijs wrote:Funny, I have wondered the same thing. Never understood what it did. Maybe because I almost never close my browser so I never noticed a difference.
Whew! I'm not alone :D
Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
Hm. But wouldn't the session expire on the server ...
Darhazer wrote:If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.
... like that?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: What Does "remember me" Do and How Does it Work?

Post by Eran »

Probably Eran uses the session Id as the "hash" you mentioned.
I do in a sense, only it happens transparently behind the scenes of the PHP functions
I meant different time in the quoted sentense
Makes sense :)
If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.
Hm. But wouldn't the session expire on the server ...
Yes, you have to adjust the gc_maxlifetime value as well to compensate (default is 1440 seconds which is probably not enough).
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: What Does "remember me" Do and How Does it Work?

Post by Jonah Bron »

So, basically, set a cookie with the session_id(), and turn up the session expire time?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: What Does "remember me" Do and How Does it Work?

Post by Eran »

Use session_set_cookie_params() to change the lifetime of the session cookie, and then set session normally using session_start() and $_SESSION (or any other abstraction - the ZF handles this lifetime change for you in the manner I described)
User avatar
Jonah Bron
DevNet Master
Posts: 2764
Joined: Thu Mar 15, 2007 6:28 pm
Location: Redding, California

Re: What Does "remember me" Do and How Does it Work?

Post by Jonah Bron »

Okay, so just turn up the expire on the session cookie and the session itself?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by VladSun »

I would not do it this way. As Darhazer said, I would use a long ID (hash) stored in a cookie, that will authenticate the user into the system (i.e. it is a third field in the DB together with the username/password fields). This way session data is not kept "alive" on the www server. The "keep-me-logged-in" timeout is defined both in the cookie (client-side) and in the DB (server-side) - that would be a 4th field in the DB :)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: What Does "remember me" Do and How Does it Work?

Post by Eran »

Any specific reason you wouldn't do it the way I described? what is the problem with the session data being kept "alive" on the server?
Post Reply