Codeigniter session cookies and remember me option

Hi i'm coding an auth login function, well i need to add the typical remember me checkbox to make session not expire.

Which is the best practice to do that?

I thought 开发者_C百科about adding a cookie and store inside the user id, then when user browse at first time the site, check for that cookie, if exist i grab the user id from the cookie and create the session, is this the right way to do that? what about security?

Here's how I would do it:

Create a column called "remember_code", and make a randomly generated hash when they check off "remember me"

Set Cookie with both remember_code, along with user's identity (login username or email).

When they try to re-log, check both: remember_code from database, along with username/email, and if they are correct, log them in automatically.

This practice is generally safe, but to double check, you can check IP or User Agent to make sure that is the right user.

I was implemented some different solution on CodeIgniter 3.

I treat remember me option like only extend session time. I. e. standard session time is 2 hours, extended 7 days.

To do that:

1 - Add remember me checkbox and hidden field to the form

echo form_hidden('remember_me', '0');
echo form_checkbox('remember_me', '1');

2 - Add below to configuration (config.php)

$config['sess_expiration'] = 72000; // standard time, 2hrs
$config['sess_extended_expiration'] = 604800; // extended time, 7 days

3 - Create MY_Session.php in application/libraries/Session directory.

4 - Put below code to it

<?php

defined('BASEPATH') OR exit('No direct script access allowed');

class MY_Session extends CI_Session {

    public function __construct(array $params = array())
    {
        parent::__construct($params);

        // No session time manipulation
        if (!isset($this->_config['sess_extended']))
        {
            return $this;
        }

        if ($this->_config['sess_extended'])
        {
            // Remember for next regenerate execs
            setcookie(
                'remember_me',
                '1',
                (empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
                $this->_config['cookie_path'],
                $this->_config['cookie_domain'],
                $this->_config['cookie_secure'],
                TRUE
            );
        }
        else
        {
            // Forget remember me
            setcookie(
                'remember_me',
                NULL,
                -1,
                $this->_config['cookie_path'],
                $this->_config['cookie_domain'],
                $this->_config['cookie_secure'],
                TRUE
            );
        }
    }

    protected function _configure(&$params)
    {
        // Restore standard session time
        if (filter_input(INPUT_POST, 'remember_me') === '0')
        {
            $params['sess_extended'] = false;
            return parent::_configure($params);
        }
        // Extend session time
        elseif (filter_input(INPUT_POST, 'remember_me') === '1' || (isset($_COOKIE['remember_me']) && !empty($_COOKIE['remember_me'])))
        {
            if (!empty(config_item('sess_extended_expiration')))
            {
                $_config[0] = & get_config();
                $_config[0]['sess_expiration'] = config_item('sess_extended_expiration');
                $_config[0]['sess_time_to_update'] = 0;

                $params['sess_extended'] = true;
            }
        }

        return parent::_configure($params);
    }

}

There is no security implications, this is only extended session time.

Also remember server must allow long session time. You can check current timeout by

var_dump(ini_get('session.gc_maxlifetime'));