Re: How to implement a Remember me option at the IDP?

[Jason Haar]

On 10/05/13 07:35, Sebastian Cristea wrote:
>
> Does anyone know of a decent (of course, it's possible to go into the
> simplesaml code and implement it) way to implement this / or any
> available plugins?
>

Doesn't "session.duration" work? eg just set it to 3600 * 24 * 365 for a
year?



--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

[Peter Schober]

* Jason Haar <Jason...@trimble.com> [2013-05-10 01:50]:

> On 10/05/13 07:35, Sebastian Cristea wrote:
> > Does anyone know of a decent (of course, it's possible to go into the
> > simplesaml code and implement it) way to implement this / or any
> > available plugins?
>
> Doesn't "session.duration" work? eg just set it to 3600 * 24 * 365 for a
> year?

I think you'd need to change other session.* settings as well.
Also I'd be sceptical whether any of that really does what the OP
wanted -- isn't the session stored in memory by default until it get's
GC'ed from PHP? If that's the case I don't see how that could last a
year with any non-trivial use of the service. (Same for memcache'd
sessions.)
-peter

[Sebastian Cristea]

Well, you'd need to use a cookie for this (other than the session one). Plus, even if say you could configure PHP to make it work with just the session, you'd still need a way to tell it how long to store it (session or other cookie). We don't want always on remember me, we just want a checkbox so the user can choose.

[John Rodkey]

I have a somewhat related question.  I have two sorts of CAS authenticated web sites:  the generic kind for which a very long CAS session.duration is appropriate, and those that have more sensitive data, such as paycheck advice, for which the web developer wants to have the session.duration to be much shorter - perhaps 15 minutes.  

Is it possible for the web site using CAS to specify the session.duration for their particular site?  In particular, I envision the session.duration parameter being the maximum value, but a web site could request a shorter this.session.duration.

John

On Fri, May 10, 2013 at 5:26 AM, Sebastian Cristea <sebastia...@gmail.com> wrote:

Well, you'd need to use a cookie for this (other than the session one). Plus, even if say you could configure PHP to make it work with just the session, you'd still need a way to tell it how long to store it (session or other cookie). We don't want always on remember me, we just want a checkbox so the user can choose.

--
You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.
To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.
To post to this group, send email to simple...@googlegroups.com.
Visit this group at http://groups.google.com/group/simplesamlphp?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.