Home/ Questions/Q 9094669
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-16T23:24:15+00:00

I’m using cakephp 2 together with the AuthComponent to authenticate users on my webapplication.

  • 0

I’m using cakephp 2 together with the AuthComponent to authenticate users on my webapplication. It is crucial that users do NOT get logged out automatically for a very long time (at least 24 hours, longer or infinitely would be best). The reason is that we store a number of things in the the cakephp webapp that have to be available to the currently signed in users within seconds without forcing him to type in his password. For this reason I already set Security.level to low and I also implemented

Configure::write('Session.timeout', 3000);

which ought to give the user a good two days before he gets logged out. Yet from time to time a user still gets logged out, even if he has been active within the same minute already. I don’t really know when it’s happening and how to reproduce it but I wondered if I might have missed something and would other strategies might help to solve my issue.

As a webserver I’m using standard apache on Ubuntu 12.04 without any special configuration changes!

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    To allow this to work effectively you will do this in two parts. I can’t speak specifically to the component you are using, but I can provide a general theory of operation.

    PHP sessions should never be considered something that will last long. They will be active while the user is on the site, but eventually cleaned up. So how do you get the user session to “never expire” ?

    When the user logs in, you will create a unique one time hash. This hash will be stored by the user as a cookie, and you should also reference it in your database (to the user that the hash is associated with)

    This hash provides an alternative login path. If the user returns to the site and has no session, instead of directing the to the login page, you see if the user has the cookie. If they do, you can log them back in.

    Now its important to only allow that hash to be used once. After the hash is used to create a session, you need to generate a new one and update the cookie and database with the new hash.

    Some things to keep in mind:

    • The hash should be unique and generated with random data. It should
      not be something that can be easily forged.
    • If the user access your site with multiple devices, its possible each device will have its own unique hash, keep that in mind with
      database design.
    • Its a good idea to use SSL so that the hash cannot be easily sniffed.
    • The hash should expire in a certain amount of time so that an old hash cannot be used to login to the site.
    • 0