Dashboard > RIFE > ... > Authentication > Remembering users between authentication sessions
RIFE Log In | Sign Up   View a printable version of the current page.
Remembering users between authentication sessions


 Browse Space
Added by Steven Grimm, last edited by David HM Spector on May 05, 2007  (view change)
Labels: 
(None)

By default, RIFE sessions expire after 20 minutes of inactivity. Rather than requiring users to supply their passwords again after their sessions expire, it is possible to remember the user's identity via a persistent cookie. Setting it up is simple. But first, a little explanation of how it works.

When a new session is started and the "remember me" option is activated (generally by the user selecting an option on the login form), RIFE generates a pseudorandom string called a "remember ID". The remember ID is stored in a database table (authremember by default) along with the user ID and some bookkeeping information. The remember ID is sent to the user's browser as a cookie (rememberid by default) with a 3-month expiration time.

Later on, when the user's session has expired and the user hits a restricted page again, the authentication element sees the rememberid cookie and looks up that ID in the authremember table. If it's there, a new session is started and a new rememberid cookie is sent to the user's browser.

From the user's point of view, they are still logged into the site, but on the server, a brand-new session has been created. This has one important implication: any stored data that is tied to the authentication session ID will be lost. Your code will need to account for that possibility.

The authentication element

The first thing you need to do is declare the cookie that will be used to hold the user's identity. This is done in the authentication element. You need to declare the cookie as both an input and an output. If you're using database users, this will look something like:

authentication element
<element id="AuthMember" extends="rife/authenticated/database.xml">
    <property name="password_encryption">SHA</property>
    <property name="template_name">authentication.login</property>
    <property name="role">member</property>
    <property name="authvar_type">cookie</property>
    <property name="datasource"><datasource>postgresql</datasource></property>

    <!-- you can specify your own cookie name; this property is optional. -->
    <property name="remembervar_name">rememberid</property>

    <submission name="credentials" scope="global">
        <param name="login"/>
	<param name="password"/>
	<param name="remember"/>
    </submission>

    <childtrigger name="authid"/>
    <incookie name="rememberid"/>
    <outcookie name="rememberid"/>
</element>

There is one other thing of note about that declaration: the remember parameter in the credentials submission. That parameter must be present or the authentication element will not create a new remember ID.

The logout element

If you have a logout element on your site, you will need to let it clear out the remember ID too. It will delete the ID from the database, and delete the user's cookie as well (as specified by listing the outcookie in the element). In effect explicitly logging out is saying "don't remember me any more."

logout element
<element id="Logout" file="rife/logout/passthrough/database.xml" url="logout">
    <flowlink srcexit="logged_out" destid="HomePage"/>
    <incookie name="rememberid"/>
    <outcookie name="rememberid"/>
</element>

Prohibiting remember access

It's recommended to not allow users to access sensitive data or to perform payments if they are authenticated through remembered credentials. You can enforce this by creating another authentication element and setting the 'prohibit_remember' property to true, like this:

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE element SYSTEM "/dtd/element.dtd">
<element extends="rife/authenticated/database.xml">
    <!-- ... same as above ... -->
    <property name="prohibit_remember">true</property>
</element>

The login form

Remembering the user requires that your login form has an input called "remember". This can be a hidden field if you want to always remember users (not very secure, but perhaps appropriate for intranet sites) or, more typically, a checkbox. A simple login form template might look like this:

authentication/login.html
<form name="credentials" action="<r:v name="SUBMISSION:FORM:credentials"/>" method="post">
    <r:v name="SUBMISSION:PARAMS:credentials"/>
    Login: <r:v name="FORM:INPUT:login"/><br/>
    Password: <r:v name="FORM:SECRET:password"/><br/>
    Remember me? <r:v name="FORM:CHECKBOX:remember">value="true"</r:v><br/>
    <input type="submit" value="Login" />
</form>

Installing the database table

Finally, you need to make sure the authremember table is present in your database. The easiest way to do that is to let the DatabaseRememberManager install it for you. Put this in a Deployer class (see Creating tables):

try {
    DatabaseRememberFactory.getInstance(dataSource).install();
} catch (DatabaseException e) {
    // usually just "table already exists"; log a debug message if you like
} catch (RememberManagerException e) {
    // also usually harmless; log a message here too if you like
}

That's all there is to it!

Version

Since RIFE 0.7.2


Are you enjoying Confluence? Please consider purchasing it today.
Powered by Atlassian Confluence, the Enterprise Wiki. (Version: 2.2.1a Build:#515 May 19, 2006) - Bug/feature request - Contact Administrators