delight-im / PHP-Auth

Authentication for PHP. Simple, lightweight and secure.
MIT License
1.11k stars 235 forks source link

isRemembered( ) always returns false #277

Open michhes opened 2 years ago

michhes commented 2 years ago

I'm new to PHP-Auth but love it--it's been so easy to integrate and the documentation is great! Thanks for all your work.

In my testing, I call login() with the third $rememberDuration parameter. I can see this is successful by inspecting the database and cookies. isLoggedIn() also returns true.

However isRemembered() consistently returns false after logging in and I'm not sure why. From my understanding of the docs and source, this call should return true if the relevant session variable isset. Or, in other words, it should return true when the user checks the Remember Me box and is subsequently logged in by virtue of being remembered through the presence and value of the remember_xxx cookie.

Notably this:

var_dump((bool) $_SESSION['auth_remembered']);

consistently returns false (I confirm the array key exists and it isset).

Not sure if this is a question or a documentation enhancement request!

eypsilon commented 2 years ago

The remember_me Cookie is not part of the Session. You've to close your browser in order to get remembered. Or at least delete the current Session.

ocram commented 2 years ago

However isRemembered() consistently returns false after logging in and I'm not sure why.

This is the intended behavior. Maybe the documentation needs to be improved, though.

From my understanding of the docs and source, this call should return true if the relevant session variable isset. Or, in other words, it should return true when the user checks the Remember Me box

No, this is actually a wrong understanding of its purpose. But, again, it may be the docs’ fault. A method for a scenario like this would perhaps be called wantsToBeRemembered() instead.

Or, in other words, it should return true when the user […] is subsequently logged in by virtue of being remembered through the presence and value of the remember_xxx cookie.

Yes, this is actually the intended purpose and behavior. Please note that this is different from what you described before.

The use case is actually the following: You want to know whether the user just authenticated directly, with their credentials present, or whether they authenticated a longer time ago and were just logged in implicitly via their “remember me” cookie. In the former case, you have stronger authentication. In the latter, you may want to re-authenticate.

Your other use case, i.e. determining whether the user wants to be remembered (later), could be implemented by simply checking for the presence of the “remember me” cookie.

Does that help?