Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Is set_config working with cookie based sessions ?
  • Gog0Gog0
    Hi,

    I tried to make a 'remember me' function on my website. I am using cookie based sessions.

    in my configuration file, I set 'expire_on_close' to true and 'expiration_time' to 2592000 (30 days).

    So by default sessions works until the browser is closed, but I added a test in my login function to check if the 'remember me' checkbox was checked :

    if(Input::post('remember') != 'remember')
    {
    Session::instance()->set_config('expire_on_close', false);
    }

    But after this the session cookie is still expiring at the end of the browser session (expiration date is not set).

    Am I not doing this the right way ?
  • HarroHarro
    Did you check the expiration of the cookie directly after you processed this request?

    This should work fine, but obviously only on the page where you submit a form that has an input field called 'remember'. On the next page, it will be set to expire_on_close again.
  • Gog0Gog0
    Ok thanks for your answer. I see what I missed. The configuration is set to the default value at each request if I understand. So I need to store the 'remember_me' choice somwhere and check it at each request to always set 'expire_on_close' to false.

    Is this solution a good one ? : http://fuelphp.com/forums/discussion/5131/how-to-replicate-remember-me-on-this-computer-functionality

    It's setting a 'remember_me' session variable to true if the option is checked and doing this test in the base controller :

    if (\Session::get('remember_me', false) === true)

    {
       
    Session::instance()->set_config('expire_on_close', false);

    }


    Thanks for your answer :)
  • HarroHarro
    Accepted Answer
    My applications use two session objects: one that is high-performance (usually memcached) and short-lived, the other is stored in the DB, and long lived.

    User state is stored in the short lived session, remember-me state in the long lived.

    This way you benefit from the security measures that have been implemented for sessions, because unprotected 'remember-me' features are extremely dangerous: it allows you to login without knowing the password.
  • Gog0Gog0
    Thanks.

    I know it can be dangerous. If I understand, the only way to make this functionality safe is to use HTTPS to protect against cookie stealing. If not Fuel PHP has 'match_ip' and 'match_ua' even if it is not totally
    reliable.

    Well, thanks again !
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion