Persistent Login module provides secure "Remember Me" functionality

Posted Tue, 2007-01-30 14:52 by bjaspan

I released the Persistent Login module version 1.1 for Drupal 4.7 and 5 today. The module provides the common "Remember Me" checkbox on the Drupal login block and page. Using Persistent Login is a substantially more secure method of allowing users to remain logged in across browser sessions than is having a long-life PHPSESSID cookie.

As is documented in the README.txt, after installing Persistent Login, for maximum security edit your settings.php file so PHP session cookies have a lifetime of the browser session:

    ini_set('session.cookie_lifetime',  0);

Also visit admin >> settings >> persistent_login to set how long persistent sessions should last and which pages users cannot access without a password-based login (by default, users must provide a password to visit any profile editing page, an E-Commerce module shopping cart, or the Persistent Login administrator settings).

For details on how Persistent Login works, read Improved Persistent Login Cookie Best Practice.

If you have an opinion about whether drupal.org, groups.drupal.org, and other official Drupal sites should use Persistent Login, please vote on it.

Comments

You might want to talk to

by sepeck (not verified) - 2007-01-30 19:24

You might want to talk to some folks about the impact of keeping sessions on the infrastructure before you advocate and campaign for it's use on drupal.org.

The impact is one row in a

by bjaspan - 2007-01-30 20:50

The impact is one row in a table (~80 bytes of data) per persistent login and the invocation of PL's hook_init once per PHPSESSID session. persistent_login_init() performs one SELECT query with a single inner join between the users and persistent_login table. In short, the performance impact is really minimal.

PL does not require "keeping sessions" in the sense of serialized $_SESSION rows in the sessions table. In fact, part of the point is that the PHP sessions can and should have a much shorter lifetime with PL than without it.

Can we alter it to only fill

by Chandra (not verified) - 2007-04-18 06:47

Can we alter it to only fill the User Name and Password blocks with out directly logging in to the site.

Chandra

Yes, no, and maybe. :-) The

by bjaspan - 2007-04-19 12:47

Yes, no, and maybe. :-)

The user name field is easy and safe to pre-fill in. Filling in the password field with the user's password would require (a) that Drupal has a plaintext copy of the user's password, which it does not and (b) that it transmit that password over the net as part of a web page, which it would never do even if it did have a plaintext copy.

However, it occurs to me that we could pre-fill the password box with an unguessable one-time password with a very limited timeout and restricted to the IP address from which it was requested. Actually, this one-time password would be little different than the combination of the series and login token that PL already assigns. I'll think about it.

Hello, Could you explain me

by wwwoliondorcom (not verified) - 2007-12-06 19:43

Hello,

Could you explain me how to be permanently logged in my Drupal websites as I am the only user?

For example you are speaking about a long-life PHPSESSID cookie, maybe this solution would be easier to use for me rather than installing your Persistent login module on all my websites? But I don't know how to do.

Thanks a lot.

The simplest way is to have

by bjaspan - 2007-12-06 22:15

The simplest way is to have your PHP session last forever. In settings.php, the line:

<?php
ini_set('session.cookie_lifetime'2000000);
?>

controls session lifetime. Change 2000000 to a larger number. 31536000 seconds is one year. Note that if someone steals your PHP session cookie, they will be able to use it for that long (unless you manually log out of Drupal). Persistent Login prevents that.

Hello! Thank you, but

by wwwoliondorcom (not verified) - 2008-03-11 20:43

Hello!

Thank you, but finally after trying your solution I installed your Persistent login module but the session doesn't last forever even though I set the parameter to 0 (Days to remember the user).

Is it because I didn't also set "session.cookie_lifetime PHP setting" to 0 ?

I get the message :
Your site's session.cookie_lifetime PHP setting is 10512000. When using Persistent Login, it should be 0 so that PHP sessions end when the user closes his/her browser. You can change this setting by editing sites/default/settings.php.

But I don't want the session to end, so should I set to 0 anyway ?

Thanks a lot!

Setting cookie_lifetime to 0

by bjaspan - 2008-03-31 12:44

Setting cookie_lifetime to 0 causes the Drupal session to end as soon as the user closes the web browser (technically, the session still exists in the db but the browser no longer has the session cookie).

Persistent Login causes a new Drupal session to be created when the user returns to the site.

So, you can set your cookie_lifetime to be as large or small as you want, but if Persistent Login is enabled, the session will be regenerated whenever necessary.

I am trying to use the

by Jake Strawn (not verified) - 2008-10-02 03:49

I am trying to use the Drupal 6 version, which obviously needs updating according to the last patch released in the issue queue, however, it is not appearing in the default drupal login block, only on the actual /user/login page.

I agree

by Anonymous (not verified) - 2008-11-13 21:39

I agree

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <i> <h1> <h2> <h3> <blockquote>
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • Lines and paragraphs break automatically.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options