Colin Guthrie-6 wrote: > > OK, thanks for that. > > Here's a follow up question (still related). > > Is this the recommended the recommended way to implement remembering the > user for long periods or should an alternative system be implemented > over the top? > > The reason I ask, is that keeping user sessions alive for a long period > (e.g. weeks/months), doesn't seem like a wise plan to me. > > 1. They can take up a lot of disk space (or memory in the case of > memcache sessions etc.) > 2. If a user logs in from a separate machine/browser profile and returns > later on their original machine, their session data could be invalid > (although a user logging in from two browser profiles simultaneously > would also suffer from this problem). > > This is pointing to not using the rememberMe() system in Zend_Session to > implement a "remember me" feature in an application, and instead using a > regular cookie with is detected and subsequently bootstraps a new > session for that user on first landing. > > > So, if this is a logical argument, what's the point in > Zend_Session::rememberMe()? Am I just being too paranoid about storing > too many sessions for too long? > > I don't see a reason why this wouldn't be the recommended way of > remembering users.
Regarding 1: It depends on your application, but I don't see disk usage as a problem, session files are small. And if you are worried about having too many files in one folder PHP supports creating "leveled directories" for storing session files. You can look it up on the php.net (although there are some cons against using this method as stated on their site). Memcache is not a persistent storage and rebooting your server would delete all your session data. I have implanted a system using database as the session storage in my application. Storing session data in the database made it possible to implement a system that stores user ID in a separate column of the session table. This gave me the possibility to delete all session information related to a particular user if needed. Use case 1: User had logged in from various computers or browsers and ticked the "Remember me" checkbox. When user decides to change his password I can delete all the session data for this user (except for the one he is using to change the password). So from all other computers / browsers he will forced to login again. Use case 2: Storing user "role" and permissions in the session. When the permissions or the role is changed I can change it across all of his sessions, or just force him to login again. This way I don't have to hammer the database and check his permissions on every single request he makes and still be sure that I can change his permissions. I hope that these examples shed some light on things that are bothering you. Regards, Goran Juric http://gogs.info/ -- View this message in context: http://www.nabble.com/Zend_Session%3A%3ArememberMe%28%29-tp19975066p19979684.html Sent from the Zend Framework mailing list archive at Nabble.com.
