Codeigniter session cookies and remember me option
Hi i'm coding an auth login function, well i need to add the typical remember me checkbox to make session not expire.
Which is the best practice to do that?
I thought 开发者_C百科about adding a cookie and store inside the user id, then when user browse at first time the site, check for that cookie, if exist i grab the user id from the cookie and create the session, is this the right way to do that? what about security?
Here's how I would do it:
Create a column called "remember_code", and make a randomly generated hash when they check off "remember me"
Set Cookie with both remember_code, along with user's identity (login username or email).
When they try to re-log, check both: remember_code from database, along with username/email, and if they are correct, log them in automatically.
This practice is generally safe, but to double check, you can check IP or User Agent to make sure that is the right user.
I was implemented some different solution on CodeIgniter 3.
I treat remember me option like only extend session time. I. e. standard session time is 2 hours, extended 7 days.
To do that:
1 - Add remember me checkbox and hidden field to the form
echo form_hidden('remember_me', '0');
echo form_checkbox('remember_me', '1');
2 - Add below to configuration (config.php
)
$config['sess_expiration'] = 72000; // standard time, 2hrs
$config['sess_extended_expiration'] = 604800; // extended time, 7 days
3 - Create MY_Session.php
in application/libraries/Session
directory.
4 - Put below code to it
<?php
defined('BASEPATH') OR exit('No direct script access allowed');
class MY_Session extends CI_Session {
public function __construct(array $params = array())
{
parent::__construct($params);
// No session time manipulation
if (!isset($this->_config['sess_extended']))
{
return $this;
}
if ($this->_config['sess_extended'])
{
// Remember for next regenerate execs
setcookie(
'remember_me',
'1',
(empty($this->_config['cookie_lifetime']) ? 0 : time() + $this->_config['cookie_lifetime']),
$this->_config['cookie_path'],
$this->_config['cookie_domain'],
$this->_config['cookie_secure'],
TRUE
);
}
else
{
// Forget remember me
setcookie(
'remember_me',
NULL,
-1,
$this->_config['cookie_path'],
$this->_config['cookie_domain'],
$this->_config['cookie_secure'],
TRUE
);
}
}
protected function _configure(&$params)
{
// Restore standard session time
if (filter_input(INPUT_POST, 'remember_me') === '0')
{
$params['sess_extended'] = false;
return parent::_configure($params);
}
// Extend session time
elseif (filter_input(INPUT_POST, 'remember_me') === '1' || (isset($_COOKIE['remember_me']) && !empty($_COOKIE['remember_me'])))
{
if (!empty(config_item('sess_extended_expiration')))
{
$_config[0] = & get_config();
$_config[0]['sess_expiration'] = config_item('sess_extended_expiration');
$_config[0]['sess_time_to_update'] = 0;
$params['sess_extended'] = true;
}
}
return parent::_configure($params);
}
}
There is no security implications, this is only extended session time.
Also remember server must allow long session time. You can check current timeout by
var_dump(ini_get('session.gc_maxlifetime'));
精彩评论