View Issue Details

This bug affects 1 person(s).
IDProjectCategoryView StatusLast Update
12143Feature requestsSecuritypublic2017-11-17 11:48
ReporterRudloff Assigned Toc_schmitz  
Status assignedResolutionreopened 
Summary12143: Add a login cookie with a duration longer than the session

It seems the admin login uses PHP sessions which are destroyed at the end of the browsing session (or even before if the server cleans the sessions every X minutes), which is pretty annoying.
Would it possible to add a login cookie with a longer duration, which is what most web apps do nowadays.
I can be optional with a "Remember me" checkbox.
TagsNo tags attached.
Bug heat256

Users monitoring this issue

User List Mazi




2017-02-21 18:59

developer   ~43054

I like it, it can be done in plugin currently.

But :
- cookies must be really have some crypting mecanisms
- cookies must use some salt


2017-02-21 19:06

reporter   ~43058

We can use a library like rememberme ( to ensure that the cookie is sufficiently secure.


2017-02-23 12:37

reporter   ~43082

Here is a basic implementation as a plugin :


2017-02-28 14:19

developer   ~43095

In fact , for all session :
In fact :
            'cookieParams' => array(
                    'lifetime' => 60 * 60 * 24 * 7,

Work too without issue (here for 7 days)

Can use 'savePath' => '/outofgarbage/tmp', : to disallow server to garbage session too.

I close this one


2017-02-28 15:28

reporter   ~43097

It's generally not a good idea to store long PHP sessions, especially if you don't use garbage collection, because a lot of sessions can be created quite easily by an attacker and it can fill your drive.

What if I run something like this in Bash for example:
for ((i=1;i<=100000;i++)); do curl; done
Because LS creates a new session for every user, even if they are not logged-in, this will allow to create unlimited sessions and they won't be garbage collected. (And even if you setup a cron for garbage collection, 7 days is enough time to fill up your server's drive.)

This is why it is considered a better practice to:
* Have short PHP sessions for everyone
* Have a second mechanism for long sessions used only for logged-in users
* Have a way to garbage collect old sessions


2017-02-28 16:04

developer   ~43098

Hi Rudloff
1: bug title : Add a login cookie with a duration longer than the session : can be fixed by Yii
2: your plugin does really better and fix the situation.
=> Then i think we can close this bug .

I send it in feedback to Carsten


2017-02-28 16:05

developer   ~43099

OK to close it ?


2017-02-28 16:06

developer   ~43100

PS : @Rudloff : if you found some time to put your plugin in it's great.

If you want i make it : i can (just ask), but better if you do it.


2017-02-28 16:23

reporter   ~43102

OK you can close the bug. I will submit my plugin but I wan't to add some documentation and tests first.


2017-02-28 16:28

developer   ~43103



2017-11-17 11:48

developer   ~45102

@c_schmitz : maybe we can include this plugin in core plugin for 3.0 ?

Issue History

Date Modified Username Field Change
2017-02-20 18:10 Rudloff New Issue
2017-02-21 18:59 DenisChenu Note Added: 43054
2017-02-21 19:06 Rudloff Note Added: 43058
2017-02-23 12:37 Rudloff Note Added: 43082
2017-02-23 20:40 Mazi Issue Monitored: Mazi
2017-02-28 14:19 DenisChenu Note Added: 43095
2017-02-28 14:19 DenisChenu Status new => closed
2017-02-28 14:19 DenisChenu Resolution open => no change required
2017-02-28 15:28 Rudloff Status closed => feedback
2017-02-28 15:28 Rudloff Resolution no change required => reopened
2017-02-28 15:28 Rudloff Note Added: 43097
2017-02-28 16:04 DenisChenu Note Added: 43098
2017-02-28 16:05 DenisChenu Assigned To => c_schmitz
2017-02-28 16:05 DenisChenu Status feedback => assigned
2017-02-28 16:05 DenisChenu Status assigned => feedback
2017-02-28 16:05 DenisChenu Note Added: 43099
2017-02-28 16:06 DenisChenu Note Added: 43100
2017-02-28 16:23 Rudloff Note Added: 43102
2017-02-28 16:23 Rudloff Status feedback => assigned
2017-02-28 16:28 DenisChenu Note Added: 43103
2017-11-17 11:48 DenisChenu Note Added: 45102