在 CodeIgniter 中“记住我"登录 [英] ‘Remember Me’ Login in CodeIgniter

问题描述

您如何在 CodeIgniter 中实现这一点?

解决方案

(这个回答是对原问题的回复)

<块引用>

你会怎么做?或者，怎么会你创建了一个更长的会话有效期比其他的?

所有创建的会话都将使用相同的 $config['sess_expiration'] 在配置文件(默认:7200 秒)，有没有办法传递自定义值?

延长会话 cookie 的有效期对记住我"功能不起作用，因为用户在关闭浏览器时将丢失他们的会话 cookie.如果 Code Igniter 没有原生的记住功能"，那么您需要编写一些东西来删除一个长寿命 cookie，其中包含允许服务器再次看到时自动登录的信息.

有一篇关于持久登录 Cookie 最佳实践的好文章，可以总结为:

<块引用>

1. 当用户成功登录并选中记住我时，登录cookie 是在标准会话管理 cookie.2
2. 登录cookie包含用户的用户名和一个随机数(从这里开始的令牌")来自合适的大空间.用户名和令牌作为一对存储在数据库表.
3. 当未登录的用户访问网站并提供登录 cookie 时，查找用户名和令牌在数据库中.1. 如果该对存在，则认为用户已通过身份验证.使用的令牌从数据库.生成一个新的令牌，使用用户名存储在数据库中，并通过新登录发给用户曲奇饼.2. 如果该对不存在，则忽略登录 cookie.
4. 仅通过此机制进行身份验证的用户是不允许访问某些受保护的信息或功能比如修改密码、查看个人识别信息，或花钱.执行那些操作，用户必须先成功提交正常用户名/密码登录表单.
5. 由于这种方法允许用户有多个记住从不同的浏览器登录或计算机，提供了一种机制用户擦除所有记住的一次操作即可登录.

另一篇文章在改进持久登录 Cookie 最佳实践

如果你遵循那些文章中的做法，你不会错的！

How do you implement this in CodeIgniter?

解决方案

(This answer was a response to the original question)

How would you do this ? Or, how would you create a session with a longer expiration date than the others ?

All created sessions would use the same $config['sess_expiration'] in the config file (default: 7200 seconds), is there a way to pass a custom value ?

Extending the expiration of a session cookie isn't going to work for a "remember me" feature, since the user will lose their session cookie when they close the browser. If Code Igniter doesn't have a native "remember feature", then you'll need to write something to drop a long-life cookie which contains information which will allow an automatic login when the server sees it again.

There's a good article on Persistent Login Cookie Best Practice, which can be summarized as:

1. When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.2
2. The login cookie contains the user's username and a random number (the "token" from here on) from a suitably large space. The username and token are stored as a pair in a database table.
3. When a non-logged-in user visits the site and presents a login cookie, the username and token are looked up in the database. 1. If the pair is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username, and issued to the user via a new login cookie. 2. If the pair is not present, the login cookie is ignored.
4. Users that are only authenticated via this mechanism are not permitted to access certain protected information or functions such as changing a password, viewing personally identifying information, or spending money. To perform those operations, the user must first successfully submit a normal username/password login form.
5. Since this approach allows the user to have multiple remembered logins from different browsers or computers, a mechanism is provided for the user to erase all remembered logins in a single operation.

Another article which builds more security onto those ideas in Improved Persistent Login Cookie Best Practice

If you follow the practices in those articles, you won't go far wrong!

这篇关于在 CodeIgniter 中“记住我"登录的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！