What Does "remember me" Do and How Does it Work?
Moderator: General Moderators
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
What Does "remember me" Do and How Does it Work?
Okay, yes, I know this question sounds silly... but I'd like clarification on what the "remember me" option in a login forms does. Does it just store your username into a cookie and autofill it? Does it store your username and a salted hash of your password hash to automatically log you back in?
Thanks.
Thanks.
Re: What Does "remember me" Do and How Does it Work?
The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
Re: What Does "remember me" Do and How Does it Work?
Funny, I have wondered the same thing. Never understood what it did. Maybe because I almost never close my browser so I never noticed a difference.
- Robert Sinclair
- Forum Newbie
- Posts: 10
- Joined: Sun Jan 30, 2011 10:58 pm
Re: What Does "remember me" Do and How Does it Work?
Is there any way to use the Google Analytics persistent cookie for this purpose?
Re: What Does "remember me" Do and How Does it Work?
This requires the session data also to be set to expire in different type.Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
Re: What Does "remember me" Do and How Does it Work?
What does that mean? it should expire as usualThis requires the session data also to be set to expire in different type.
You mean that's how you do it - the usual way I'm familiar with is the one I describedUsually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
Re: What Does "remember me" Do and How Does it Work?
Probably Eran uses the session Id as the "hash" you mentioned.Darhazer wrote:This requires the session data also to be set to expire in different type.Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
There are 10 types of people in this world, those who understand binary and those who don't
Re: What Does "remember me" Do and How Does it Work?
I meant different time in the quoted sentenseEran wrote:What does that mean? it should expire as usualThis requires the session data also to be set to expire in different type.You mean that's how you do it - the usual way I'm familiar with is the one I describedUsually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.
so InvisionBoard for example generates 'member_login_key' and set this key in the cookie. when you load the page and there is no active session, but there is member_login_key, it tries to fetch a member with that key and initialize new member session
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: What Does "remember me" Do and How Does it Work?
Whew! I'm not alonematthijs wrote:Funny, I have wondered the same thing. Never understood what it did. Maybe because I almost never close my browser so I never noticed a difference.
Hm. But wouldn't the session expire on the server ...Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
... like that?Darhazer wrote:If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.
Re: What Does "remember me" Do and How Does it Work?
I do in a sense, only it happens transparently behind the scenes of the PHP functionsProbably Eran uses the session Id as the "hash" you mentioned.
Makes senseI meant different time in the quoted sentense
If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.
Yes, you have to adjust the gc_maxlifetime value as well to compensate (default is 1440 seconds which is probably not enough).Hm. But wouldn't the session expire on the server ...
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: What Does "remember me" Do and How Does it Work?
So, basically, set a cookie with the session_id(), and turn up the session expire time?
Re: What Does "remember me" Do and How Does it Work?
Use session_set_cookie_params() to change the lifetime of the session cookie, and then set session normally using session_start() and $_SESSION (or any other abstraction - the ZF handles this lifetime change for you in the manner I described)
- Jonah Bron
- DevNet Master
- Posts: 2764
- Joined: Thu Mar 15, 2007 6:28 pm
- Location: Redding, California
Re: What Does "remember me" Do and How Does it Work?
Okay, so just turn up the expire on the session cookie and the session itself?
Re: What Does "remember me" Do and How Does it Work?
I would not do it this way. As Darhazer said, I would use a long ID (hash) stored in a cookie, that will authenticate the user into the system (i.e. it is a third field in the DB together with the username/password fields). This way session data is not kept "alive" on the www server. The "keep-me-logged-in" timeout is defined both in the cookie (client-side) and in the DB (server-side) - that would be a 4th field in the DB 
There are 10 types of people in this world, those who understand binary and those who don't
Re: What Does "remember me" Do and How Does it Work?
Any specific reason you wouldn't do it the way I described? what is the problem with the session data being kept "alive" on the server?