Hi,
I'm just trying to get my head round the rememberMe() feature in
Zend_Session.
From what I gather it basically allows you to remember a session cookie
identifier past the end of the client application closing right? OK, I
get that much.... The question is why?
I presume that this is to enable the whole "tick this box to remember
your login on this computer" feature often available on login forms, but
I don't really follow how it's subsequently implemented.
Say I have sessions store in the good old fashion PHP default of in a
file. If the rememberMe() call is made and a user comes back several
days later, the garbage collector on the the server will certainly have
been run and the persistent data in the server will have been removed
and thus jumping back in to the same session again later will not be
overly successful!
So am I right in saying that it is expected that the application stores
the session id into long term storage and associate it with the user who
has logged in? This would then allow an initial landing on the site with
a given session id to be double checked against the list of
user_id-session_id pairs and "authenticate" the user (with a
regeneration of their session id thrown in for added security)?
Is this (in broad picture terms) the correct interpretation of this
feature? (leaving aside security related things such as expiring old
user sessions automatically in your long term storage (after the same
time scale given to your rememberMe() calls) etc.)
Thanks for any clarifications.
Col
--
Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/
Day Job:
Tribalogic Limited [http://www.tribalogic.net/]
Open Source:
Mandriva Linux Contributor [http://www.mandriva.com/]
PulseAudio Hacker [http://www.pulseaudio.org/]
Trac Hacker [http://trac.edgewall.org/]
