Login with "session cookie" (until browser closes)
112 views
Skip to first unread message
Petit Jean
Nov 16, 2011, 6:04:45 PM11/16/11
to Simple PHP Framework
Hi,
Many thanks for sharing this PHP framework.
Exactly what i was looking for and what i like working with.
This comment/question is about session cookies. Definition:
A session cookie only lasts for the duration of users using the
website. A web browser normally deletes session cookies when it quits.
A session cookie is created when no Expires directive is provided (or
set to zero) when the cookie is created.
I wanted the user to have an optional "remember me" checkbox at
login.php, that sets the cookie to last longer (later expire date).
Without the checkbox (default), the cookie would expire when the
browser quits. (more comments on this at the end of this message)
<?PHP
if(!empty($_POST['username']))
{
if(isset($_POST['rememberme']))
$Auth->expiryDate = time()+60*60*24*14; // 2 weeks
else
$Auth->expiryDate = 0; // session cookie
if($Auth->login($_POST['username'], $_POST['password']))
{
// Redirect stuff ...
At first, it didn't work when the checkbox wasn't checked and
expiryDate set to 0.
So i looked for the "problem" in your framework in class.auth.php:
<?PHP
class Auth
{
...
private function attemptCookieLogin()
{
...
if($b['x'] < time())
return false;
The expire date variable is encoded in $b['x'] and can't be less than
the current date.
I fixed this in the following way:
if($b['x'] < time() && $b['x'] !== '0')
return false;
This will allow "session cookies".
Is this something you would like to incorporate in your framework
code?
Do you foresee any security issues?
Indeed, the session cookie will only expire when the browser quits.
Closing the Tab or Window is not enough.
So, if someone leaves on his/her computer for a month and never closes
its browser, the cookie still wouldn't expire.
That's not really what i wanted to accomplish and is probably a not
wanted side-effect.
Thanks in advance for your response!
Many thanks for sharing this PHP framework.
Exactly what i was looking for and what i like working with.
This comment/question is about session cookies. Definition:
A session cookie only lasts for the duration of users using the
website. A web browser normally deletes session cookies when it quits.
A session cookie is created when no Expires directive is provided (or
set to zero) when the cookie is created.
I wanted the user to have an optional "remember me" checkbox at
login.php, that sets the cookie to last longer (later expire date).
Without the checkbox (default), the cookie would expire when the
browser quits. (more comments on this at the end of this message)
<?PHP
if(!empty($_POST['username']))
{
if(isset($_POST['rememberme']))
$Auth->expiryDate = time()+60*60*24*14; // 2 weeks
else
$Auth->expiryDate = 0; // session cookie
if($Auth->login($_POST['username'], $_POST['password']))
{
// Redirect stuff ...
At first, it didn't work when the checkbox wasn't checked and
expiryDate set to 0.
So i looked for the "problem" in your framework in class.auth.php:
<?PHP
class Auth
{
...
private function attemptCookieLogin()
{
...
if($b['x'] < time())
return false;
The expire date variable is encoded in $b['x'] and can't be less than
the current date.
I fixed this in the following way:
if($b['x'] < time() && $b['x'] !== '0')
return false;
This will allow "session cookies".
Is this something you would like to incorporate in your framework
code?
Do you foresee any security issues?
Indeed, the session cookie will only expire when the browser quits.
Closing the Tab or Window is not enough.
So, if someone leaves on his/her computer for a month and never closes
its browser, the cookie still wouldn't expire.
That's not really what i wanted to accomplish and is probably a not
wanted side-effect.
Thanks in advance for your response!
Tyler Hall
Nov 17, 2011, 4:32:24 PM11/17/11
to simple-php...@googlegroups.com
Hi.
I don't see any reason why that would be a security issues. Granted, I haven't given it a ton of though just yet, but it should be ok.
As for integrating it with the Framework, if other people find it useful I'm fine with it. If you'd like to send me a pull request via GitHub I'll do some more testing and merge it in.
Cheers.
Tyler
> --
> You received this message because you are subscribed to the Google Groups "Simple PHP Framework" group.
> To post to this group, send email to simple-php...@googlegroups.com.
> To unsubscribe from this group, send email to simple-php-frame...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/simple-php-framework?hl=en.
>
Reply all
Reply to author
Forward
0 new messages