tags:

views:

475

answers:

3
Q: 

Implementation of "remember me" in code igniter

How do i remember sessions, even after browser is closed.

is there any alternative than extending expire time of cookies.

i am using code igniter

A: 

The cookies is that only solution i suspect. As you said, you need to extend the time. However if you wanted to use PHP sessions instead, you to make sessions life longer using php.ini file but i don't think using sessions for this purpose will be a good idea because data of sessions is stored on server rather than individual user.

Thanks

Sarfraz  2009-12-11 07:06:31
ok.. but can there be anything apart from cookies?
Masade  2009-12-11 17:32:18
other thing can be database or even text files. it just matters how you are going to keep track of the users.
Sarfraz  2009-12-12 05:35:35
No, you will always need cookies for a persistent session. How else can you match a client with session variables on the server?
Ferdy  2010-02-11 15:08:10
A: 

I implement my version based on this article. The article explain a concept, security, and how to implement persistent login cookie.

The summary of what I done is:

  1. Create a table to hold persistent cookie series and token (series is needed to detect if the cookies got stolen).
  2. I write the model to create required cookies (separated from normal CI session).
  3. The model also do database read/write of the used persistent cookies.
  4. I integrate this model to existing user model that handle normal authentication.
  5. When user go to page that need relaxed authentication, without normal CI session, but have persistent cookie session in his browser, my code will recognize it since the same series and token also stored in the database. The user will got a normal CI session, but with a flag that this session is generated from persistent cookies, not from login form.
  6. When the user go to 'sensitive' page that demand a CI session without persistent flag, then user will be logged of, and sent to login form (if you use yahoo mail, then it similar with that). This usually the page where user can do add/edit/delete, and see sensitive information.

I hope this help.

Donny Kurnia  2010-01-13 10:22:20
A: 

Donny, would you mind sharing your code?

Paul Bombo  2010-01-27 09:45:56

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security