What Does "remember me" Do and How Does it Work?
Moderator: General Moderators
Re: What Does "remember me" Do and How Does it Work?
Here is how I do it.
Upon successful login..
1) Generate a random string, store it in users database table
2) I hash the users id, username, and this random string and store it in a cookie prepended by the users id (eg. 48:hashhere)
3) Upon a visit to the site, I check if the user is logged in.. if not,
4) I check for existence of the cookie
5) If it is present get the id from the cookie (eg. 48) and lookup the random string, username, and id from the users table
6) hash the values pulled from the db, and if they match the cookie hash, create a new logged-in session for them
This has worked well for me, but upon reading this thread, probably just storing the hash in both the cookie and the db would save me some troubles.
Upon successful login..
1) Generate a random string, store it in users database table
2) I hash the users id, username, and this random string and store it in a cookie prepended by the users id (eg. 48:hashhere)
3) Upon a visit to the site, I check if the user is logged in.. if not,
4) I check for existence of the cookie
5) If it is present get the id from the cookie (eg. 48) and lookup the random string, username, and id from the users table
6) hash the values pulled from the db, and if they match the cookie hash, create a new logged-in session for them
This has worked well for me, but upon reading this thread, probably just storing the hash in both the cookie and the db would save me some troubles.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
Re: What Does "remember me" Do and How Does it Work?
It's simply not needed. It's a temporary, *session* data. It's not its purpose.Eran wrote:Any specific reason you wouldn't do it the way I described? what is the problem with the session data being kept "alive" on the server?
There are 10 types of people in this world, those who understand binary and those who don't
Re: What Does "remember me" Do and How Does it Work?
You are saying it's not needed, but I suggested a much simpler way to achieve the same purpose. I let PHP preserve the session data instead of manipulating it manually. Who decided session data should not be long lived? (this technique by the way I didn't invent, I borrowed it from the ZF)
Re: What Does "remember me" Do and How Does it Work?
Cases where you can't (or it's too bad to) use your (Zend) technique:
1) Session save handlers are set to memory-* ones (improved performance).
2) You put a lot of data in your sessions, you have too many visitors, your keep-alive time is too long.
3) Session data may contain some sensitive user's information (which otherwise does not exist after a plain login is performed),
4) ... or session data may expire (the data, not the session), thus an initialize/cleanup process is required (which is always performed at login)
5) Session files are stored in a system temporary folder, which is cleaned up on every reboot.
6) Session files are stored in a separate mount point which may run out of space
7) ... or inodes
That's what comes in mind for now ...
1) Session save handlers are set to memory-* ones (improved performance).
2) You put a lot of data in your sessions, you have too many visitors, your keep-alive time is too long.
3) Session data may contain some sensitive user's information (which otherwise does not exist after a plain login is performed),
4) ... or session data may expire (the data, not the session), thus an initialize/cleanup process is required (which is always performed at login)
5) Session files are stored in a system temporary folder, which is cleaned up on every reboot.
6) Session files are stored in a separate mount point which may run out of space
7) ... or inodes
That's what comes in mind for now ...
There are 10 types of people in this world, those who understand binary and those who don't
Re: What Does "remember me" Do and How Does it Work?
I wouldn't say it's much simpler - both approaches are too simple to make such comparison.Eran wrote:You are saying it's not needed, but I suggested a much simpler way to achieve the same purpose.
There are 10 types of people in this world, those who understand binary and those who don't
Re: What Does "remember me" Do and How Does it Work?
1. Any custom session handler would require additional logic. Regardless, it should work the same - why shouldn't it work?1) Session save handlers are set to memory-* ones (improved performance).
2) You put a lot of data in your sessions, you have too many visitors, your keep-alive time is too long.
3) Session data may contain some sensitive user's information (which otherwise does not exist after a plain login is performed),
4) ... or session data may expire (the data, not the session), thus an initialize/cleanup process is required (which is always performed at login)
5) Session files are stored in a system temporary folder, which is cleaned up on every reboot.
6) Session files are stored in a separate mount point which may run out of space
7) ... or inodes
2. Why should all of those be a problem? disk space is the cheapest resource you have. Database would normally take up much more than the sessions (unless you are doing something you shouldn't with sessions)
3. That is true regardless. If someone compromises your server, does it matter if the session time is shorter or longer? you could say that more sessions are open if they are long, but that's about it. Don't put sensitive data in the session
4. Like the rest of those, it's the same regardless of the session time. When something updates data that is relevant to the session, you need to update it. And it would usually happen while the user is logged in anyway (rare for session data to be updated when the user is offline - I've never had that)
5 + 6 + 7. Session paths etc can be managed - and again, this is true regardless of session life time
I didn't see anything here that is different between short lived and long lived sessions.
Re: What Does "remember me" Do and How Does it Work?
1. I am not talking about a "custom session handler" - I'm talking about ready to use, precompiled PHP extensions, like shared memory or memcached:
RAM is finite and expensive.
2.
3.
5 + 6 + 7.
All of the points above were not to be discussed - just examples of environment where using long sessions is not ( or a bad) an option.
Session by definition is a short-lived thing.
Code: Select all
session.save_handler = mm2.
I do think, a huge directory with a huge number of files is going to slow down session-related performance.Why should all of those be a problem?
True, but unrelated.Database would normally take up much more than the sessions (unless you are doing something you shouldn't with sessions)
3.
I meant client side compromising.If someone compromises your server, does it matter if the session time is shorter or longer?
5 + 6 + 7.
If you are able/allowed to.Session paths etc can be managed - and again, this is true regardless of session life time
All of the points above were not to be discussed - just examples of environment where using long sessions is not ( or a bad) an option.
Session by definition is a short-lived thing.
One question borders me - how do you distinguish between "long" sessions and "short" sessions in the context of session GC?In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and torn down at a later point in time.
There are 10 types of people in this world, those who understand binary and those who don't
Re: What Does "remember me" Do and How Does it Work?
I don't see how the definition you quoted does not match my definition of a session. Where is "semi-permanent" defined? who said it has to be 15 minutes and not a week?
The gc collects according to the shortest sessions, so it's best to be consistent
The gc collects according to the shortest sessions, so it's best to be consistent
Re: What Does "remember me" Do and How Does it Work?
The main problem (from my point of view) is that you do not implement the "Remember me" feature, but restore the full user session (with all of the side effects introduced because of that). While it is the simplest way, it's not a general solution.
The "remember me" feature is just an automatic login indeed, nothing else.
The "remember me" feature is just an automatic login indeed, nothing else.
There are 10 types of people in this world, those who understand binary and those who don't
- social_experiment
- DevNet Master
- Posts: 2793
- Joined: Sun Feb 15, 2009 11:08 am
- Location: .za
Re: What Does "remember me" Do and How Does it Work?
I found that if i close the browser window (without logging off) and the open it again and access the devnet site, im still logged in and this is without checking the 'remember me' box. This only works if the computer hasn't been switched off and back on again.Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering