Why Remember Me

Remember me isn’t just a standard set a cookie and run with it type persistent login handler. Instead remember me uses salted tokens alongside the user’s auto login cookie to protect against session hijacking. The basic gist of the cycle is that a user is given a cookie with a unique set of authentication tokens. When a new login is made these tokens change, and if the user who presents a cookie to renew a session does no longer comply with these tokens, they’re denied and all cookies and sessions are flushed out!

What is different from this plugin to that of the others I find on google? Well RememberMe is secure, as secure as the word can be when written on the internet. It uses a token for its authenticity which is salted to ensure no cookie hijacking is possible. It is also extremely easy to set up. Just clone the plugin, add it to your app controller, add in one line to your login method and add a checkbox to your form. You’ll then have tasty cookies remembering your authenticated users with extremely minimal risk of cookie hijacking.

Installing Remember Me

First watch this. Now install Remember me as a plugin through GitHub:

Github: https://github.com/voidet/remember_me

cd myapp
git clone git://github.com/voidet/remember_me.git remember_me

or if you’re using submodules which you should be:

cd myapp
git submodule add git://github.com/voidet/remember_me.git app/plugins/remember_me
git submodule init
git submodule update

You will also need to add two fields in your database that you use for user auth. The default names are token and token_salt. You can override which is shown in the next section.

From there it is a matter of adding it into your controller and ensuring you have your form fields linked up to what RememberMe is listening for.

Adding Remember Me to your application

Firstly you will need to add RememberMe to your controller, probably best to do this in app_controller.php so it is fired on all pages that use it:

var $components = array('RememberMe.RememberMe');

After that you will need to tell RememberMe what form field you are using to activate the remember me function (like the name of a checkbox on a login screen that asks you if you want to be remembered for a while). The default is “remember_me” but if you want to change it you could do something like:

var $components = array('RememberMe.RememberMe' => array('field_name' => 'i_am_so_custom_it_hurts');

Now add this field into your form and once posted you can set up the RememberMe cookie! Like:

function members_login() {
    if ($this->Auth->user()) {
        if (!empty($this->data)) {
            $this->RememberMe->setRememberMe($this->data[$this->Member->alias]);
        }
        $this->redirect($this->Auth->loginRedirect);
    }
}

Of course this is an example. If you’re using auth remember to disable autoRedirect otherwise this action won’t be fired.

Refresh my Cookie!

A built in method comes with RememberMe. It is used to refresh the contents of the AuthCookie on page load, so it has the longest lifetime it can (without going outside the bounds of inactivity (which you set as a cookie setting)). To do so simply call:

if ($this->params['action'] != 'members_logout') {
        $this->RememberMe->checkUser();
    }

This will refresh the cookie and log the user in if there is no Session available. Of course you don’t want to run this on logout methods, as you won’t be logged out!

Feedback

If you feel this plugin is missing something I would love to hear what you would like me to add in! But otherwise enjoy and please leave some feedback