Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does remember me differ from session timeout

I have built an app in CakePHP that allows a user to login and do some stuff, it keeps the user logged in for about 24 hours I think by default. And this is handled by a session/cookie as a cookie also gets created...

1.) So what would a remember me bring to the party? As all that would do is create ANOTHER cookie that sets a timeout and keeps the user logged in... But this functionality exists in every single app by default with the session right? But I've seen lots of sites doing this but I don't get why as the session is doing this out of the box :/

2.) Also how come sessions expire even if a user continues to use a website? e.g. if I set it to be 1 minute but refresh every 30 seconds it will still expire... but I kept the site active before it could expire so how could it still did expire? This is annoying as I have a expiration for an app of 1 hour but even when the client is using the site it expires after 1 hour regardless of activity.

Would be great if someone could answer these 2 questions.

UPDATE: I've created a bounty on this in the hope of getting a CakePHP expert to help fix this problem. The issue is that the Sessions expire after the timeout REGARDLESS of user interaction. What I want to do is say I have a session lasting 5 minutes, and the user causes a postback every 30 seconds, then that session will still be around after the 5 minutes. This is not the case at the moment...

Configure::write('Session', array(
        'start' => true,
        'defaults' => 'php',
        'timeout' => 1,
        'cookieTimeout' => 1,
        'autoRegenerate' => true
    ));
like image 255
Cameron Avatar asked Jun 20 '12 20:06

Cameron


2 Answers

  1. What it would bring is that if the user closes its browser and restarts it, it would still log in automatically. This is not the case with a session cookie, since such a cookie is deleted as soon as the browser is closed.

  2. Maybe the page you went to every 30 seconds didn't start the session. In that case, the session mechanism is not used, and the expiration date of the session is not reset to now + 1 minute. Or maybe the refresh only hits the browser cache, and not the server.

like image 101
JB Nizet Avatar answered Oct 21 '22 04:10

JB Nizet


OK, let's see if I can grab some of that bounty (booty?), while also testing my explanatory skills :)

So let's start with #1.

So what would a remember me bring to the party?

What's important to distinguish here is the difference between a "session cookie" and a "remember me cookie".

Since HTTP is a stateless protocol, a session cookie is used to tie several requests to a single user. Without it, every single request to your webserver is completely unrelated to every other request. Can you imagine writing applications without sessions? Every request is completely empty, no logins, no session variables..every request is an unknown user! This basically means no web applications!

Now, important thing here is to realise that you absolutely don't want your session to last 24 hours! In my book, this is a very big no-no. The shorter your session is, the safer it is (at least theoretically). Why? Because a session can be hijacked! The longer your session is around, the more chance it has of being hijacked.

For example, imagine a banking application. Also, imagine your user is accessing it on a public PC (our user is not the brightest). So he's managing his account or whatever..and his phone rings. Being an idiot, he takes the call and leaves, without logging out. Do you want your session to expire in 5 minutes, 15 minutes, or 24 hours? Don't know about you, but for something as critical as online banking, I want that session gone ASAP.

Moving on to the "remember me" part.

So session cookie "connects" multiple requests in a single session, what does the "remember me" cookie do? In simple terms: it ties multiple sessions to a single user.

You want your site to be easy and pleasant to use, and logging in is almost never pleasant. It's just an annoying thing you have to do every time before doing that thing you really want to do. A remember me cookie removes that annoyance.

You log in once, check the box, and now you're always logged in on that PC. This is why you should never use "remember me" feature while on a shared PC, because the next person will have your identity. Legitimately. This is why remember me cookies are also a security risk, they can be hijacked much like the session cookie.

Finally, there is one crucial difference between a session cookie and a remember me cookie: expiration. Session cookies normally expire when you close your browser (or after a time you've specified explicitly), whereas remember me cookies typically last for much longer.

Also how come sessions expire even if a user continues to use a website?

To make it simple, they don't. You must have changed the way cake (or your application) handles sessions. The answer must be somewhere in your code. The reason why you didn't get a satisfactory answer here is because we can't see your code. You'll just have to debug and track what happens to your cookies. JB Nizet gave you some suggestions.

One thing I know that may cause trouble on some servers is cake's security level. Try lowering it in your /Config/core.php:

Configure::write('Security.level', 'medium'); // or 'low'

If that doesn't help, then the answer is definitely in your code. I hope this answer will push you in the right direction!

like image 44
dr Hannibal Lecter Avatar answered Oct 21 '22 06:10

dr Hannibal Lecter