Welcome to Geeklog, Anonymous Sunday, May 26 2024 @ 07:55 pm EDT

Geeklog Forums

Remember Me Forever


Status: offline

LWC

Forum User
Full Member
Registered: 02/19/04
Posts: 818
Most login boxes today contain a "remember me" checkbox. Just wondered how come Geeklog has no such thing (trust me, the average user would never enter his/her user preferences to enable that...and even that provided you edited each and every language file and added a huge number in the right place and called it "forever"...).

And does anyone else hear Fame's theme in their head when they read this question?
 Quote

Status: offline

LWC

Forum User
Full Member
Registered: 02/19/04
Posts: 818
Anyone?
 Quote

Status: offline

spidermann

Forum User
Junior
Registered: 11/29/04
Posts: 26
Location:Handbasket, Satan
this would be taken care of in the cookie that is downloaded onto a user's machine.

I have been meaning to work on it for my site but have been too busy. I have long thought that this should be something added in to GL.
 Quote

Status: offline

1000ideen

Forum User
Full Member
Registered: 08/04/03
Posts: 1298
I`d also prefer such a "remember me" pull down as you can see here:
http://www.nlpweekly.com/community/

 Quote

Schwooba

Anonymous
I too would like this feature...hopefully someone with experience (Dirk???) can whip something out quickly.
 Quote

Status: offline

mst3kroqs

Forum User
Regular Poster
Registered: 10/18/05
Posts: 78
Location:Cary, NC USA
Well, just some off-the-cuff think here, but GL does not appear store values (hashed or otherwise) which contain the userid and pw for the user, therefore no 'forever' option could exist which would persist past browser exits without doing so.

It's not impossible, but you'd have to insert a lot of code in primarily in users.php, lib-sessions.php and probably other areas to generate and then check for the existence of these new cookies. You'd also have to alter usersettings.php and associated templates, of course. (aieee!)

I guess you'd also need to either add a field to {prefix}_users to track this per-user preference (ugh - structure changes are painful wrt to upgrades).

Even so, with a much smaller amount of hacking around at the core code, you could perhaps utilize a 'special value' in the cookietimeout field that already exists in the {prefix}_users table, which would be intepreted as 'forever' as long as you didn't close the browser window.

cookietimeout for a user seems to be set to whatever is specified in $_CONF['default_perm_cookie_timeout'], which is 28800 secs (8 hrs) by default as per as-shipped config.php, and usersettings.php also allows other values as per {prefix}_cookcodes table, so step 1 would be to create a 'Forever' entry in this table, with the 'magic' forever number.

Then, I guess it's a matter of modfying the SESS_newSession function in lib-sessions.php to recognize that this user is using the 'magic' value, and that the permanent cookie would never be expired.

I also tried to see how this would be done with a customer user registration approach, and although some of this would seem to be useful for solving the need to change table structures and themes, you'd still need the core code hacks, there are no hooks in there that I can see after a quick perusal).

Of course, the GL team could consider a hybrid approach which utilized the best of both worlds, eg. adding the new forever/magicvalue to cookcodes, and then adding the hashed userid/pw cookie generation and recognition code as necessary, this would at least prevent having to modify the user db structure and theme templates.

Anyway - this is core code stuff, and therefore a feature request as you have indicated, but note also that utilizing 'remember forever' functionality ultimately lowers the overall security integrity of your site, as it is much harder to 'weed out' baddie users (or bots, for that matter) thay may have become authenticated to your site somehow.

Much more manual intervention required for revocation, and you are essentially trusting them based upon whatever past authentication process/code you have utilized, even though you may improve or extend the authentication process over time. It also permits baddies to fairly easily retrieve and brute-force attack someone's userid/pw cookies, and then impersonate them on the site. (Can you say link and comment SPAM of many sizes, types, colors and smells?)

In other words, if the GL team added this option, it would certainly want to be that - an option, and one that probably defaulted to OFF, with the risks associated with ON clearly explained ...

Don't know if that makes sense, but these are musings for a Sunday afternoon ....
 Quote

Status: offline

1000ideen

Forum User
Full Member
Registered: 08/04/03
Posts: 1298
Thanks for all the thoughts mst3kroqs though I don`t understand them. But I agree that Geeklog should stay a safe portal. Actually this "remember me" checkbox is feature request #536. Maybe there is a chance to do it.
 Quote

Status: offline

1000ideen

Forum User
Full Member
Registered: 08/04/03
Posts: 1298

All times are EDT. The time is now 07:55 pm.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content