March 12, 2012

Zend framework Remember Me – working issue

Question by Dubious

I have used the remember me functionality in my site using the following package : http://www.jasperrooswinkel.com/unexpected-expiration-of-zend_auth-sessions/. It is working fine. But I face a problem that, a deleted user can access accounts just because of stay signed in.

The scenario is as follows:

  1. User login after setting keep me logged in.
  2. He leave the system shut down without signing out.
  3. His account being deleted on that day evening.
  4. He takes the site on next day morning.

As he had set stay signed in, he gets his session and he could post a story and do what ever in his account without knowing the fact that his account has got deleted on previous day. Also, I have set remember for 14 days.

Any ideas how to solve this issue?

Thanks

Answer by aporat

Extending the session’s expiration time for more than a few hours is a bad idea for many reasons, not just because you’re keeping sessions of deleted users. There’s also a performance and security issues related to the fact you’re keeping active session (with session_id) in your database / session storage.

See persisted login with Zend_Session::rememberMe.

In any case, you should revalidate your user account on each page load, to make sure his user still exists and active:

I’ve created a revalidate function which I call on every page load. The function is called from the controller’s init() function before the user can do anything.

 public static function revalidate() {
        $userData = self::getIdentity();

        $modelUsers = new Model_Users();
        $user = $modelUsers->fetchWithEmail($userData['email']);

        if ($user instanceof Model_User) {
            if ($user->getRoleType() == 'ACCOUNT') {
                return $user;
            }
        }
        return false;
    }

Answer by Starx

This is exactly why you need to setup a session time out for every application/page.

Use ini_set(), to the the session life time

ini_set("session.cookie_lifetime","1800"); //half an hour

Then check if a session is alive at every secured page like

if (!empty(session_id())) {
    header("Location: index.php"); //GO to home page
    exit;
}
...

Please fill the form - I will response as fast as I can!