Add "remember me" functionality

[pmjones]

Probably via a RememberInterface injected into Auth, or perhaps by moving the "resume" functionality into an extensible ResumeInterface.

Will also need a new status to indicate the user is "remembered" and did not pass credentials, along with related methods.

[harikt]

Yes this is really an interesting functionality. Also deals with security.

[pmjones]

Yeah, and thinking about it makes me re-think some of this very early work (only a few days old!).

[enygma]

Isn't "remember me" just basically an extension of the length of the session? Shouldn't the auth/session handler just be able to set a time far out in the future when "remember me" is enabled?

[pmjones]

No, there's something about setting a special cookie that can re-enable a session without actually logging in. However, the safest variations of these compare the cookie value with a value stored elsewhere.

[enygma]

Yeah, it'd almost have to be some kind of adapter behind it for the storage, similar to how the other adapters are used (defaulting to PDO I imagine).

[harikt]

Yes, session timeout is different. As @pmjones mentioned, you need some special cookie value stored, and recheck that on next login. On every new login we should reset the cookie with a different value.

Recently I was able to implement something for processwire. Somethings we need to do are

1. If the user is logged in via remember me, don't let them reset the password and don't give some sort of administrative privileges.
2. Reset hash on every request.
3. Good to keep a hash in db rather than the same value stored in cookie.
4. Need to limit the amount of login request

[harikt]

Hi Paul,

I wonder when creating a remember me cookie we are trying to duplicate some of the code of Aura.Session . Else we may need to use the same function session_set_cookie_params to increase the cookie time.

$session->setCookieParams(array('lifetime' => '3600'));

The more I am thinking, I have a feeling we should add aura/session as a dependency to Aura.Auth for easy usage. I am not caring how others think about Auth. But the ease of use should be thought than splitting more.

Or we may need to define a shared interface, and don't implement the functionality but suggest to use the aura/session which is already implemented to work for it.

Thanks!

[enygma]

I think, if anything, the "remember me" functionality should allow for different storage methods with Aura.Session being the default. I know the project is all about reducing dependencies, but in this case I think it's necessary from a DRY perspective.

[jleckie]

I just implemented something like this it basically worked like this...

• Create cookie with randomly generated key with extended lifetime (leaving php session cookie alone, with standard lifetime)
• On return to site if session has expired cookie key was looked up in redis storage. The redis storage would return a user identifier which is then used to create a new session for that user.
• Logout of course destroys both the session and the remember me cookie

Few notes, storage is the key part here as you need to secure this part. So memcached, redis, db or file storage should all be options. Any key value store really. Any access to this data will mean complete site compromise. So encryption layer might be useful.

The cookie can easily be stolen, ways to reduce damage include regenerating the cookie key everytime the session expires. Ensuring the cookie is httponly and https. Useragent checking to ensure useragent has not changed (may not always be reliable, upgrades etc).

[harikt]

great points @jleckie .

[pmjones]

For future reference: https://resonantcore.net/blog/2015/02/remember-me-safely-secure-long-term-authentication-strategies

[paragonie-scott]

Hello,

The Resonant Core website is now defunct. However, the same advice is alive and well here: https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2

Regards,
Scott