[Solar-talk] Peristent logins Was: Re-introducing Solar_Session
with adapter support
Antti Holvikari
anttih at gmail.com
Mon Mar 3 15:26:29 CST 2008
On Mon, Mar 3, 2008 at 2:28 AM, Rodrigo Moraes <rodrigo.moraes at gmail.com> wrote:
> On Sun, Mar 2, 2008 at 6:24 PM, Antti Holvikari wrote:
>
> > 2. Next time a user visits the page and his/her session has been
> > expired, the cookie is checked. If the cookie has appropriate info
> > (identifier matches a user, timeout has not been reached and the token
> > matches), the user gets authenticated again automagically. This logic
> > is taken from Shiflett's book "Essential PHP Security".
>
> a little correction for this part: there's no timeout if the user
> marked the "remember me" checkbox when logging in. it is *persistent*,
> right? :)
Yes, there is a timeout. A user *must* use his/her auth cookie within
a specified time-window. It's up to the developer to decide the
timeout.
Also, you can decide if you want users to be remembered only once.
Like a one-time authentication cookie. If you want users to be always
remembered, then the cookie will be renewed after a successful
cookie-authentication.
--
Antti Holvikari <http://anttih.com>
More information about the Solar-talk
mailing list