27 lines
994 B
Markdown
27 lines
994 B
Markdown
# Remember me
|
|
|
|
We want to implement long lived sessions
|
|
|
|
we will do this with a remember me cookie
|
|
|
|
this should be implemented as so:
|
|
|
|
|
|
logging or registering and including a "rememberMe" flag with the request will generate a new remember me token, which can be stored as a cookie .
|
|
|
|
the remember me token should live until:
|
|
* the user changes password anywhere
|
|
* the user logs out on that device
|
|
* the user logs in with an expired session, in which case the remember me token will be used to refresh the session, and then it will be swapped out for a new one
|
|
|
|
that means we need to implement three spots:
|
|
- [ ] login
|
|
- [ ] register
|
|
- [ ] validate session
|
|
|
|
we will implement it as described [here](https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence)
|
|
|
|
we will only check the remember me token in "validate session".
|
|
|
|
"refresh session" is only called with valid sessions so we do not need to check it here, as the session should already have been validated
|
|
|