So I assume from this that if I do not choose "remember me" then the login duration is 0 days, i.e. it will not keep me logged in when the browser is closed. However I am finding that it does keep me logged in. I am using Firefox 3.6 on Windows 7.
I have ‘allowAutoLogin’=>true, in main.php, however I am using the login system for a module and not the site.
The cookie Yii send the browser is marked for be valid only in this session, maybe the browser is saving the cookie even if you close and reopen the browser.
When you choose remember me, another cookie will be sent, valid for a month. Note that for the server is impossible to know if the browser was closed or not, if he is sending a valid cookie.
The thing is I normally have my Yii site open in a tab, as well as some other tabs. At the end of the day I close the browser which saves all the open tabs.
When I open open up the browser the next day my Yii site is still logged in but some other sites are logged out.
OK I’ve tested this in Safari, which does not save the tab session. It works as expected in Safari, so the “problem” is probably due to the fact that the “browser session” data is being saved when I exit Firefox.
My experience is, that FF does not delete these cookies when you close the browser, even if their lifetime is listed as "Until the end of this session". In fact, as a long time FF user i was quite suprised when i first heard about "the user session ends when you close the browser" as i never saw this happening for me.
If I go to http://www.yiiframework.com/extensions/, login, then close browser and reopen the site, I’m logged out. You still logged in? I use Firefox as well.
That’s strange. I can’t imagine privacy settings/plugins are the cause of it? Because privacy would more likely mean to delete all cookies when browser session ends I guess.
Also when you check the Firefox privacy options you can see something like:
Accept 3rd party cookie? * yes, until not valid anymore * yes, until browser closes * Ask me
Yes Mike, that’s right. The “browser session”, i.e. the tab history gets saved when you exit Firefox (depending on whether you enabled that feature or not).
In my opinion, I think if "remember me" option is not selected then the user should be logged in based on a TIME period, for example 2 or 5 hours.
You can restore the window by switching on the second checkbox in the Tab-settings. If you uncheck it again, you won’t get any notices when exiting (and nothing gets restored ever, unless ff crashes).
I don’t remember. I’ve used an extension called Session-Manager for a long time. Some day most of it’s features were integrated into FF and i don’t know wether it takes over the old settings. Anyway…
What we should learn: Never take for granted, that the user session ends when the user closes his browser window!