On Nov 13, 2005, at 9:46 PM, John K. wrote:
The problem with both options is that you are making it an application
thing rather then a on login the person can specify to keep me logged
on or not. Does anyone know how to do that?
Setting session properties at the application level was just an
example. The documentation will show you that you can
set them at a finer grain.
At any rate, I have been using a solution that I wrote before setting
session props was easy, and I’ll describe that for
For this I use a separate cookie from the session cookie, and leave the
session cookie alone. I don’t keep any long
term state in the session so I don’t care if it goes away when the
browser exits. If you do keep long term state in the
session, you’ll have to modify this solution to set the expiry on the
session cookie appropriately, or take other measures.
When a user logs in and checks the ‘remember me box’, you generate a
hash (which should be unique and unguessable
just like the normal session id) and stick this in a cookie and
somewhere you can get to it later (I just stick it in the
user’s entry in the users table in the database).
Now, when you do your normal auth check filter, if the normal login
check fails you can check for this extra cookie. If
it’s there and its hash is found in the database, you’ve got your user
and you can log them in.
That’s the bird’s eye view, anyway. Implementation and security is
left as an exercise to the reader.