[Solar-talk] Peristent logins Was: Re-introducing Solar_Session
with adapter support
Rodrigo Moraes
rodrigo.moraes at gmail.com
Sun Mar 2 18:28:50 CST 2008
On Sun, Mar 2, 2008 at 6:24 PM, Antti Holvikari wrote:
> 2. Next time a user visits the page and his/her session has been
> expired, the cookie is checked. If the cookie has appropriate info
> (identifier matches a user, timeout has not been reached and the token
> matches), the user gets authenticated again automagically. This logic
> is taken from Shiflett's book "Essential PHP Security".
a little correction for this part: there's no timeout if the user
marked the "remember me" checkbox when logging in. it is *persistent*,
right? :) so basically the "timeout'" config is the life time of the
token. when it expires, the adapter will create a new one, save it to
the database and set a new cookie, so an user can stay authenticated
really forever. a week is ok for this update I would say, but security
maniacs may prefer to set a smaller period. anyway, for a pretty
secure setup it would require sporadic database updates.
-- rodrigo
More information about the Solar-talk
mailing list