How do php apps identify a user after the session has timed out?

Question

I am trying to understand how PHP apps check to see if a user is logged in. I am specifically looking at mediawiki's code to try to help me understand, but these cases should be fairly common in all php apps.

From what I gather, the main cases are:

1. A user just logged in or was created, every time they visit the page PHP knows its them by checking data common to the $_SESSION variable and the cookie.

2. A user had the 'remember me' option checked on the login page a long time ago. They have a cookie on there computer with a tokenID, which is checked with a token on the server to authenticate them. In this case, there is no session variable, because the time between accesses could be weeks.

My question is, what happens when a user is logged in, but the PHP session times out and he wants to access a page? I would have assumed that there is no easy way for the server to know who the person is - and that they would have to be redirected to the login page.

However, mediawiki does just that. I've verified that the session files are deleted after X minutes, but when I hit refresh in mediawiki, it knows which user I am, and the 'token' variable is not included in the cookie.

Answer 1

Goo question. Well, mostly the "remember me" functionality is implemented by using a cookie, storing a "token" that verifies the user.

If this is not done, and no cookies are sent to the server, the only possible way would be that the server is "guessing" that it is you based on a serial of parameters. These parameters could include: IP, User-agent string, and so on... But this might work in many cases but it not considered best practice since it is representing a security-risk. Ex. many users are sharing network, proxy servers etc... and this could in worst case make a user login to someone elses account.

Answer 2

The answer is cookies. When sessions expire, the server has no way to identify users other than what is sent by the browser. So what happens is the application uses cookie data to rebuild the session transparently. If the cookie has expired or is deleted, then redirection to the login page is really the only option.

Answer 3

If you don't want to re-direct to the login page when the session has expired, the cookie that's been created when the user logged-in (checking the "remember me" thing) must contain enough informations to re-create a session.

And re-creating a session means re-logging the user in.

Which means the cookie must contain enough data to identify the user.

Of course, you cannot store the login + password in the cookie, at least in plain clear text, as cookies go through the network with each HTTP request ; wouldn't be quite safe.

But you have to find a way to store... enough data ; like the login, and possibly some kind of hash that can be used to determine if the user if really who the login in the cookie says.

Here are a couple of questions + answers that might be interesting, about that :

• What should I store in cookies to implement “Remember me” during user login
• ‘Remember-me’ authentication feature, does it always mean ‘Unsecure’ Website?
• Is this a reasonable way to implement ‘remember me’ functionality.
• how to create a secure php login system, allowing for “keep me logged in” functionality?