What commit hash are you on?
latest, downloaded today (e47b492 i guess)
What CodeIgniter version are you using?
v3.1.13 (latest release)
What PHP version are you using?
7.2.31
Post your Ion Auth config below
Pretty much the default one with only some table-names changed.
Describe the bug
The logged_in() function doesn't take the value of $config['remember_users'] into account when checking for a "remember_me" cookie.
If you enable the "remember me" feature and a user logs in, he gets logged in the next time he visits your site, even if you set $config['remember_users'] to false in the meantime.
To Reproduce
Steps to reproduce the behavior:
set $config['sess_expiration'] to 0 in config.php
set $config['remember_users'] to true in ion_auth.php
log in to your site, with "Remember Me" enabled
close your browser
open your browser and open the site again -> you are logged in (which is correct at this point)
close your browser again
set $config['remember_users'] to false in ion_auth.php
open your browser and your site -> you are logged in - which should NOT happen
Expected behavior
The result of step 7 should be that the next time you visit the site,, the "remember me" cookie is ignored and you're not logged in, even if a valid cookie exists.
I did a very quick test and it seem that this behaviour is caused by this bit of code in the logged_in() function:
// auto-login the user if they are remembered
if (!$recheck && get_cookie($this->config->item('remember_cookie_name', 'ion_auth')))
{
$recheck = $this->ion_auth_model->login_remembered_user();
}
which only checks the name of the cookie but doesn't take into account if $config['remember_users'] is true or false. IMHO the code should look like this:
// auto-login the user if they are remembered
if (!$recheck && ($this->config->item('remember_users', 'ion_auth')) && get_cookie($this->config->item('remember_cookie_name', 'ion_auth')))
{
$recheck = $this->ion_auth_model->login_remembered_user();
}
Which branch are you using? 3
What commit hash are you on? latest, downloaded today (e47b492 i guess)
What CodeIgniter version are you using? v3.1.13 (latest release)
What PHP version are you using? 7.2.31
Post your Ion Auth config below Pretty much the default one with only some table-names changed.
Describe the bug The
logged_in()
function doesn't take the value of$config['remember_users']
into account when checking for a "remember_me" cookie.If you enable the "remember me" feature and a user logs in, he gets logged in the next time he visits your site, even if you set
$config['remember_users']
tofalse
in the meantime.To Reproduce Steps to reproduce the behavior:
$config['sess_expiration']
to0
inconfig.php
$config['remember_users']
totrue
inion_auth.php
$config['remember_users']
tofalse
inion_auth.php
Expected behavior The result of step 7 should be that the next time you visit the site,, the "remember me" cookie is ignored and you're not logged in, even if a valid cookie exists.
I did a very quick test and it seem that this behaviour is caused by this bit of code in the logged_in() function:
which only checks the name of the cookie but doesn't take into account if
$config['remember_users']
is true or false. IMHO the code should look like this: