stay logged in in php application for +1 week

Question

We have a php application written in zend framework and are wondering what would be the best way if we wanted to keep our users logged in for more than a day, eg a week or even more.

Do we need sessions for that? (uses table space and memory?) or is it better to work with cookies? (security?)

Answer 1

HTTP is stateless, meaning the webserver will forget who you are after it served your request. Sessions are way around this. When using Sessions, browser and server will exchange an identifier on each request that lets the webserver connect previously stored data to this particular requestor.

The ID is usually stored in Cookie. Set your Session Cookie to expire in one week and you are all set for keeping your users logged in for a week.

See

• PHP Manual on Session Handling
• “Keep Me Logged In” - the best approach
• Keep Accounts Logged In

Answer 2

Strictly speaking you do not need sessions. You are confusing two things:

• Sessions are used to store data server-side for a specific user. This will probably include the user name with which the user the logged in. Sessions are typically relatively short-lived (eg expire after a few minutes or hours of inactivity). Session cookies (ie, cookies that expire after the user closes the browser) are typically used to associate a given user to a given session, though other other methods can be used, such as passing the session id in the URL (beware of session fixation in this case).
• For long lived logins, one typically stores the user credentials or some medium-term user credentials surrogate in a non-session cookie that's set to expire after a few weeks or months. Whenever the user does not have an active session associated with him, these credentials are used to initiate such session without user interaction.

So basically, cookies are used for two purposes – to store a short-lived (minites or hours) session id and to store user credentials for a few days/weeks/months.

Answer 3

"Remember me" is always a hole in a security, whatever you use - cookie or session - someone can (in theory) steal a cookie, and thus enter account without any password. There are ways to increase security, by allowing recalling only under same IP. Cookies are AFAIK less secure however that depends on way you implement auth. For instance, by keeping password hash in cookies you almost give intruder a real password (which is a no-no, it may be used on other webapps) as there are dictionaries to obtain simple passwords from hash. Salting hash helps not much.

All in all, session is the simplest and well enough way. Use tables if you use more than one webserver for an app, otherwise sessions on disk is ok.