(This answer was a response to the original question)
How would you do this ? Or, how would
you create a session with a longer
expiration date than the others ?
All created sessions would use the
same $config['sess_expiration'] in the
config file (default: 7200 seconds),
is there a way to pass a custom value
?
Extending the expiration of a session cookie isn't going to work for a "remember me" feature, since the user will lose their session cookie when they close the browser. If Code Igniter doesn't have a native "remember feature", then you'll need to write something to drop a long-life cookie which contains information which will allow an automatic login when the server sees it again.
There's a good article on Persistent Login Cookie Best Practice, which can be summarized as:
- When the user successfully logs in with Remember Me checked, a login
cookie is issued in addition to the
standard session management cookie.2
- The login cookie contains the user's username and a random number
(the "token" from here on) from a
suitably large space. The username and
token are stored as a pair in a
database table.
- When a non-logged-in user visits the site and presents a login cookie,
the username and token are looked up
in the database.
1. If the pair is present, the user is considered authenticated.
The used token is removed from the
database. A new token is generated,
stored in database with the username,
and issued to the user via a new login
cookie.
2. If the pair is not present, the login cookie is ignored.
- Users that are only authenticated via this mechanism are
not permitted to access certain
protected information or functions
such as changing a password, viewing
personally identifying information, or
spending money. To perform those
operations, the user must first
successfully submit a normal
username/password login form.
- Since this approach allows the user to have multiple remembered
logins from different browsers or
computers, a mechanism is provided for
the user to erase all remembered
logins in a single operation.
Another article which builds more security onto those ideas in Improved Persistent Login Cookie Best Practice
If you follow the practices in those articles, you won't go far wrong!
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…