In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin.
The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work. -- Hector On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[email protected]>wrote: > @Jurian Nice idea, but since Zend_Auth stores only identity, I don't think > that information is enought to reauthenticate from cookie. > > @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, > and session expiration is not per user setting, but per server setting. > > Regards, > Saša Stamenković > > > > On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman < > [email protected]> wrote: > >> You could write a Zend_Auth_Storage_Cookie which enables you to place the >> authentication in a cookie. Be careful to look at the possible exploits. >> Just >> a plain cookie without server-side validation is not safe. Still, the >> storage >> adapter for auth is the most simple one. >> -- >> Jurian Sluiman >> CTO Soflomo V.O.F. >> http://soflomo.com >> >> On Friday 26 Mar 2010 14:50:41 umpirsky wrote: >> > I'm thinking, how to implement remember me in cookie zend style. I'm >> using >> > Zend_Auth with Db_Table adapter. >> > >> > Maybe we can contribute some component for this. I heard that Cake PHP >> > already have one. >> > >> > Regards, >> > Saša Stamenković. >> > >
