I have used the remember me functionality in my site using the following package : http://www.jasperrooswinkel.com/unexpected-expiration-of-zend_auth-sessions/. It is working fine. But I face a problem that, a deleted user can access accounts just because of stay signed in.
The scenario is as follows:
- User login after setting keep me logged in.
- He leave the system shut down without signing out.
- His account being deleted on that day evening.
- He takes the site on next day morning.
As he had set stay signed in, he gets his session and he could post a story and do what ever in his account without knowing the fact that his account has got deleted on previous day. Also, I have set remember for 14 days.
Any ideas how to solve this issue?
Thanks
Extending the session’s expiration time for more than a few hours is a bad idea for many reasons, not just because you’re keeping sessions of deleted users. There’s also a performance and security issues related to the fact you’re keeping active session (with session_id) in your database / session storage.
See persisted login with Zend_Session::rememberMe.
In any case, you should revalidate your user account on each page load, to make sure his user still exists and active:
I’ve created a revalidate function which I call on every page load. The function is called from the controller’s init() function before the user can do anything.