Page 1 of 2
What Does "remember me" Do and How Does it Work?
Posted: Mon Jan 31, 2011 9:39 pm
by Jonah Bron
Okay, yes, I know this question sounds silly... but I'd like clarification on what the "remember me" option in a login forms does. Does it just store your username into a cookie and autofill it? Does it store your username and a salted hash of your password hash to automatically log you back in?
Thanks.
Re: What Does "remember me" Do and How Does it Work?
Posted: Mon Jan 31, 2011 10:39 pm
by Eran
The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
Re: What Does "remember me" Do and How Does it Work?
Posted: Mon Jan 31, 2011 11:04 pm
by matthijs
Funny, I have wondered the same thing. Never understood what it did. Maybe because I almost never close my browser so I never noticed a difference.
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 2:46 am
by Robert Sinclair
Is there any way to use the Google Analytics persistent cookie for this purpose?
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 3:37 am
by Darhazer
Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
This requires the session data also to be set to expire in different type.
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 6:40 am
by Eran
This requires the session data also to be set to expire in different type.
What does that mean? it should expire as usual
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
You mean that's how you do it - the usual way I'm familiar with is the one I described
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 6:46 am
by VladSun
Darhazer wrote:Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
This requires the session data also to be set to expire in different type.
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
Probably Eran uses the session Id as the "hash" you mentioned.
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 9:20 am
by Darhazer
Eran wrote:This requires the session data also to be set to expire in different type.
What does that mean? it should expire as usual
Usually 'remember me' option on web-sites generates a hash and uses that hash to login you, creating a new session
You mean that's how you do it - the usual way I'm familiar with is the one I described
I meant different time in the quoted sentense
If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.
so InvisionBoard for example generates 'member_login_key' and set this key in the cookie. when you load the page and there is no active session, but there is member_login_key, it tries to fetch a member with that key and initialize new member session
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 10:44 am
by Jonah Bron
matthijs wrote:Funny, I have wondered the same thing. Never understood what it did. Maybe because I almost never close my browser so I never noticed a difference.
Whew! I'm not alone
Eran wrote:The default for session cookies lifetime is until the browser is closed. When you check the "remember me" checkbox, a different lifetime is given to the cookie and it persists between browser sessions, allowing you to stay logged-in
Hm. But wouldn't the session expire on the server ...
Darhazer wrote:If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.
... like that?
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 12:06 pm
by Eran
Probably Eran uses the session Id as the "hash" you mentioned.
I do in a sense, only it happens transparently behind the scenes of the PHP functions
I meant different time in the quoted sentense
Makes sense
If by default session expires on the server after 30 minutes (which means that gc deletes the file / database records) and you just set expire time in the cookie, and the cookie still contains only the session id, the "remember me" will work only for 30 minutes after the last request.
Hm. But wouldn't the session expire on the server ...
Yes, you have to adjust the gc_maxlifetime value as well to compensate (default is 1440 seconds which is probably not enough).
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 12:12 pm
by Jonah Bron
So, basically, set a cookie with the session_id(), and turn up the session expire time?
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 12:16 pm
by Eran
Use session_set_cookie_params() to change the lifetime of the session cookie, and then set session normally using session_start() and $_SESSION (or any other abstraction - the ZF handles this lifetime change for you in the manner I described)
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 1:37 pm
by Jonah Bron
Okay, so just turn up the expire on the session cookie and the session itself?
Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 1:42 pm
by VladSun
I would not do it this way. As Darhazer said, I would use a long ID (hash) stored in a cookie, that will authenticate the user into the system (i.e. it is a third field in the DB together with the username/password fields). This way session data is not kept "alive" on the www server. The "keep-me-logged-in" timeout is defined both in the cookie (client-side) and in the DB (server-side) - that would be a 4th field in the DB

Re: What Does "remember me" Do and How Does it Work?
Posted: Tue Feb 01, 2011 5:31 pm
by Eran
Any specific reason you wouldn't do it the way I described? what is the problem with the session data being kept "alive" on the server?