goalio / GoalioRememberMe

A Zend Framework 2 (ZF2) Module offering remember me functionality to ZfcUser
BSD 3-Clause "New" or "Revised" License
32 stars 19 forks source link

Cookies not set or deleted by the browser leads to orphans in database #20

Open peuh opened 10 years ago

peuh commented 10 years ago

Hi All,

In some occasions the cookie is not set on the client browser (e.g : on chrome when the domain doesn't have a tld part - leaving the domain empty solves the issue), in some other occasions the cookie is deleted by the browser itself (expired cookie / browsing data set to be cleared on browser exit... ).

In such situations, the matching object in the db will never be deleted, leaving soon, a lot of orphans in the rememberme table (which will keep growing overtime...)

I think you should add the expiration date of the cookie to the RememberMe entity. Then, it would be easy to have a cron job or a db function running everyday to remove the expired rows.

My 2 cents :-)

PS1 : btw, for consistency reasons and to avoid issues linked to domain, I think the removeCookie function of the rememberme service should be modified from :

setcookie("remember_me", "", time() - 3600, '/');

to

setcookie("remember_me", "", time() - 3600, '/', $cookieDomain, null, true);

PS2 : What's the purpose of requesting the remember entity from the mapper in RememberMeService::updateSerie ? There is no modification of the object between when we request it in CookieAdapter::authenticate and when we pass it as a parameter of the updateSerie function. Am I missing something or is it a useless call to the db?