What Does "remember me" Do and How Does it Work?

Ye' old general discussion board. Basically, for everything that isn't covered elsewhere. Come here to shoot the breeze, shoot your mouth off, or whatever suits your fancy.
This forum is not for asking programming related questions.

Moderator: General Moderators

User avatar
s.dot
Tranquility In Moderation
Posts: 5001
Joined: Sun Feb 06, 2005 7:18 pm
Location: Indiana

Re: What Does "remember me" Do and How Does it Work?

Post by s.dot »

Here is how I do it.

Upon successful login..

1) Generate a random string, store it in users database table
2) I hash the users id, username, and this random string and store it in a cookie prepended by the users id (eg. 48:hashhere)
3) Upon a visit to the site, I check if the user is logged in.. if not,
4) I check for existence of the cookie
5) If it is present get the id from the cookie (eg. 48) and lookup the random string, username, and id from the users table
6) hash the values pulled from the db, and if they match the cookie hash, create a new logged-in session for them

This has worked well for me, but upon reading this thread, probably just storing the hash in both the cookie and the db would save me some troubles.
Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by VladSun »

Eran wrote:Any specific reason you wouldn't do it the way I described? what is the problem with the session data being kept "alive" on the server?
It's simply not needed. It's a temporary, *session* data. It's not its purpose.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: What Does "remember me" Do and How Does it Work?

Post by Eran »

You are saying it's not needed, but I suggested a much simpler way to achieve the same purpose. I let PHP preserve the session data instead of manipulating it manually. Who decided session data should not be long lived? (this technique by the way I didn't invent, I borrowed it from the ZF)
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by VladSun »

Cases where you can't (or it's too bad to) use your (Zend) technique:

1) Session save handlers are set to memory-* ones (improved performance).
2) You put a lot of data in your sessions, you have too many visitors, your keep-alive time is too long.
3) Session data may contain some sensitive user's information (which otherwise does not exist after a plain login is performed),
4) ... or session data may expire (the data, not the session), thus an initialize/cleanup process is required (which is always performed at login)
5) Session files are stored in a system temporary folder, which is cleaned up on every reboot.
6) Session files are stored in a separate mount point which may run out of space
7) ... or inodes

That's what comes in mind for now ...
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by VladSun »

Eran wrote:You are saying it's not needed, but I suggested a much simpler way to achieve the same purpose.
I wouldn't say it's much simpler - both approaches are too simple to make such comparison.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: What Does "remember me" Do and How Does it Work?

Post by Eran »

1) Session save handlers are set to memory-* ones (improved performance).
2) You put a lot of data in your sessions, you have too many visitors, your keep-alive time is too long.
3) Session data may contain some sensitive user's information (which otherwise does not exist after a plain login is performed),
4) ... or session data may expire (the data, not the session), thus an initialize/cleanup process is required (which is always performed at login)
5) Session files are stored in a system temporary folder, which is cleaned up on every reboot.
6) Session files are stored in a separate mount point which may run out of space
7) ... or inodes
1. Any custom session handler would require additional logic. Regardless, it should work the same - why shouldn't it work?
2. Why should all of those be a problem? disk space is the cheapest resource you have. Database would normally take up much more than the sessions (unless you are doing something you shouldn't with sessions)
3. That is true regardless. If someone compromises your server, does it matter if the session time is shorter or longer? you could say that more sessions are open if they are long, but that's about it. Don't put sensitive data in the session
4. Like the rest of those, it's the same regardless of the session time. When something updates data that is relevant to the session, you need to update it. And it would usually happen while the user is logged in anyway (rare for session data to be updated when the user is offline - I've never had that)
5 + 6 + 7. Session paths etc can be managed - and again, this is true regardless of session life time

I didn't see anything here that is different between short lived and long lived sessions.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by VladSun »

1. I am not talking about a "custom session handler" - I'm talking about ready to use, precompiled PHP extensions, like shared memory or memcached:

Code: Select all

session.save_handler = mm
RAM is finite and expensive.

2.
Why should all of those be a problem?
I do think, a huge directory with a huge number of files is going to slow down session-related performance.
Database would normally take up much more than the sessions (unless you are doing something you shouldn't with sessions)
True, but unrelated.

3.
If someone compromises your server, does it matter if the session time is shorter or longer?
I meant client side compromising.

5 + 6 + 7.
Session paths etc can be managed - and again, this is true regardless of session life time
If you are able/allowed to.

All of the points above were not to be discussed - just examples of environment where using long sessions is not ( or a bad) an option.

Session by definition is a short-lived thing.
In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user (see Login session). A session is set up or established at a certain point in time, and torn down at a later point in time.
One question borders me - how do you distinguish between "long" sessions and "short" sessions in the context of session GC?
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: What Does "remember me" Do and How Does it Work?

Post by Eran »

I don't see how the definition you quoted does not match my definition of a session. Where is "semi-permanent" defined? who said it has to be 15 minutes and not a week?
The gc collects according to the shortest sessions, so it's best to be consistent
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: What Does "remember me" Do and How Does it Work?

Post by VladSun »

The main problem (from my point of view) is that you do not implement the "Remember me" feature, but restore the full user session (with all of the side effects introduced because of that). While it is the simplest way, it's not a general solution.

The "remember me" feature is just an automatic login indeed, nothing else.
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: What Does "remember me" Do and How Does it Work?

Post by social_experiment »

Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
I found that if i close the browser window (without logging off) and the open it again and access the devnet site, im still logged in and this is without checking the 'remember me' box. This only works if the computer hasn't been switched off and back on again.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
Post Reply