Goran Juric wrote:
Colin Guthrie-6 wrote:
So am I right in saying that it is expected that the application stores
the session id into long term storage and associate it with the user who
has logged in? This would then allow an initial landing on the site with
a given session id to be double checked against the list of
user_id-session_id pairs and "authenticate" the user (with a
regeneration of their session id thrown in for added security)?
With rememberMe() you are setting session lifetime. Garbage collector
doesn't remove session files that are still valid.
OK, thanks for that.
Here's a follow up question (still related).
Is this the recommended the recommended way to implement remembering the
user for long periods or should an alternative system be implemented
over the top?
The reason I ask, is that keeping user sessions alive for a long period
(e.g. weeks/months), doesn't seem like a wise plan to me.
1. They can take up a lot of disk space (or memory in the case of
memcache sessions etc.)
2. If a user logs in from a separate machine/browser profile and returns
later on their original machine, their session data could be invalid
(although a user logging in from two browser profiles simultaneously
would also suffer from this problem).
This is pointing to not using the rememberMe() system in Zend_Session to
implement a "remember me" feature in an application, and instead using a
regular cookie with is detected and subsequently bootstraps a new
session for that user on first landing.
So, if this is a logical argument, what's the point in
Zend_Session::rememberMe()? Am I just being too paranoid about storing
too many sessions for too long?
Cheers for any insights.
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mandriva Linux Contributor [http://www.mandriva.com/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
