There are two parts of the process:
1) Setting the cookie
2) Logging in via the cookie
For a similar feature in my ZF App, I just used the normal php
setcookie() function. My cookie contains the user's username, and a
properly salted hash of the password. To create the hash, I used a
function similar to this:
md5(md5('password'.'secret_salt'))
Your passwords should be stored in the db using the same hash format.
And while not 100% secure, most brute force and rainbow table attacks
can be thwarted because the salt used, which should be a random sequence
of charcters that only you and the other developer's know, should be
enough from keeping unwanted users from cracking the password. Also,
because cookies are hard to spoof, since they can only be read by the
domain that set them, it should be reasonably secure for most
applications (if you are working on a banking app, or something else
that is highly sensative, than you shouldn't be adding this feature, and
should consider more secure 2-factor authentication schemes or even a
client certificate, etc).
You will then need to modify your login code to support logging in from
the cookie. I use the same function in my User model for both, but have
a paramater that tells the function 'how' it should operate... In other
words, am I getting a password that is hashed or in plain text. It
should also have a feature to set the cookie, if the remember me box was
checked.
You'll still need something that kicks off the auto-login via cookie. I
put mine in the same function that gets called to check if the user
session is valid. Personally I only call this function when a page is
requested that requires a logged in user. If you want the site to
recognize the user right away - regardless of where / when the user
entered the site, you could put it in your init() function or somewhere
else convenient. This part is kind of up to you, as it will shape the
user experience.
Hope this gets you started.
--
Eric Marden
Sr. PHP Developer
-----Original Message-----
From: darren [mailto:[EMAIL PROTECTED]
Sent: Tuesday, April 01, 2008 11:20 AM
To: [email protected]
Subject: [fw-general] best practice for "Remember Me"
Newbie Alert:
I would like to create a way for users to stay logged in for extended
periods of time (like 2 to 12 weeks) as you might expect with a
"Remember Me" checkbox. I have a decent amount of experience with PHP,
but not too much either ZF or with sessions and cookies. I thought I
could just use the rememberMe() method with Zend_Session.
But, that seems to only work for smaller time intervals because I can
only effectively set it for a couple of seconds to a few minutes.
Setting it to anything like hours seems to make it default to about 20
minutes or so. I'm thinking Zend_HTTP_Cookies with Zend_Auth might be
the ticket.
I can (and have been) read the documentation on each module. But, I
don't quite grasp the idea of how they should be glued together to
achieve what I want to do. And, for the life of me, I can't find an
example anywhere.
So, could someone steer me in the right direction? Maybe an example or
tutorial somewhere? Or, if someone could just tell which
classes/modules I should be using, I could probably run with that.
Thanks,
Darren
