Login Duration

Yii 1.1 General Discussion
1

What is the default login duration when NOT selecting "remember me"?

In my login() function in LoginForm model, I have the following:


if($this->_identity->errorCode===UserIdentity::ERROR_NONE)

{

	$duration=$this->rememberMe ? 3600*24*30 : 0; // 30 days

	Yii::app()->user->login($this->_identity, $duration);

	return true;

}

So I assume from this that if I do not choose "remember me" then the login duration is 0 days, i.e. it will not keep me logged in when the browser is closed. However I am finding that it does keep me logged in. I am using Firefox 3.6 on Windows 7.

I have ‘allowAutoLogin’=>true, in main.php, however I am using the login system for a module and not the site.

2

I think that is a question of browser.

The cookie Yii send the browser is marked for be valid only in this session, maybe the browser is saving the cookie even if you close and reopen the browser.

When you choose remember me, another cookie will be sent, valid for a month. Note that for the server is impossible to know if the browser was closed or not, if he is sending a valid cookie.

3

Hmmm not sure. How can I test this?

The thing is I normally have my Yii site open in a tab, as well as some other tabs. At the end of the day I close the browser which saves all the open tabs.

When I open open up the browser the next day my Yii site is still logged in but some other sites are logged out.

4

You can check with right click on the tab, then information about page, choose the tab safety and then check the cookies

5

OK I’ve tested this in Safari, which does not save the tab session. It works as expected in Safari, so the “problem” is probably due to the fact that the “browser session” data is being saved when I exit Firefox.

6

Maybe you have some plugin installed that causes this problem. At least it’s not the default behavior of Firefox (or any other browser).

7

and your php.ini?

check the: session.cookie_lifetime

8

My experience is, that FF does not delete these cookies when you close the browser, even if their lifetime is listed as "Until the end of this session". In fact, as a long time FF user i was quite suprised when i first heard about "the user session ends when you close the browser" as i never saw this happening for me.

9

If I go to http://www.yiiframework.com/extensions/, login, then close browser and reopen the site, I’m logged out. You still logged in? I use Firefox as well.

10

That’s right, i’m still logged in. Could it be my privacy settings in FF?

I’m still searching because I remember i’ve discussed this with Qiang some years ago, but can’t remember what we found out.

11

That’s strange. I can’t imagine privacy settings/plugins are the cause of it? Because privacy would more likely mean to delete all cookies when browser session ends I guess.

Also when you check the Firefox privacy options you can see something like:

Accept 3rd party cookie? * yes, until not valid anymore * yes, until browser closes * Ask me

So there is no inbuild setting to keep cookies.

12

Aha, getting closer: It has to do with FF’s “session restore” feature, which is actually a tab restore feature. But it also keeps the session cookies:

http://stackoverflow.com/questions/777767/firefox-session-cookies

https://bugzilla.mozilla.org/show_bug.cgi?id=443354

13

Yes Mike, that’s right. The “browser session”, i.e. the tab history gets saved when you exit Firefox (depending on whether you enabled that feature or not).

In my opinion, I think if "remember me" option is not selected then the user should be logged in based on a TIME period, for example 2 or 5 hours.

14

Okay that makes sense.

Mike I guess you did this: 844

ff.png

You can restore the window by switching on the second checkbox in the Tab-settings. If you uncheck it again, you won’t get any notices when exiting (and nothing gets restored ever, unless ff crashes).

15

I don’t remember. I’ve used an extension called Session-Manager for a long time. Some day most of it’s features were integrated into FF and i don’t know wether it takes over the old settings. Anyway…

What we should learn: Never take for granted, that the user session ends when the user closes his browser window!