Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

isRemembered( ) always returns false #277

Open
michhes opened this issue May 10, 2022 · 2 comments
Open

isRemembered( ) always returns false #277

michhes opened this issue May 10, 2022 · 2 comments
Labels

Comments

@michhes
Copy link

michhes commented May 10, 2022

I'm new to PHP-Auth but love it--it's been so easy to integrate and the documentation is great! Thanks for all your work.

In my testing, I call login() with the third $rememberDuration parameter. I can see this is successful by inspecting the database and cookies. isLoggedIn() also returns true.

However isRemembered() consistently returns false after logging in and I'm not sure why. From my understanding of the docs and source, this call should return true if the relevant session variable isset. Or, in other words, it should return true when the user checks the Remember Me box and is subsequently logged in by virtue of being remembered through the presence and value of the remember_xxx cookie.

Notably this:

var_dump((bool) $_SESSION['auth_remembered']);

consistently returns false (I confirm the array key exists and it isset).

Not sure if this is a question or a documentation enhancement request!

@eypsilon
Copy link

The remember_me Cookie is not part of the Session. You've to close your browser in order to get remembered. Or at least delete the current Session.

@ocram ocram added the question label May 10, 2022
@ocram
Copy link
Contributor

ocram commented May 10, 2022

However isRemembered() consistently returns false after logging in and I'm not sure why.

This is the intended behavior. Maybe the documentation needs to be improved, though.

From my understanding of the docs and source, this call should return true if the relevant session variable isset. Or, in other words, it should return true when the user checks the Remember Me box

No, this is actually a wrong understanding of its purpose. But, again, it may be the docs’ fault. A method for a scenario like this would perhaps be called wantsToBeRemembered() instead.

Or, in other words, it should return true when the user […] is subsequently logged in by virtue of being remembered through the presence and value of the remember_xxx cookie.

Yes, this is actually the intended purpose and behavior. Please note that this is different from what you described before.

The use case is actually the following: You want to know whether the user just authenticated directly, with their credentials present, or whether they authenticated a longer time ago and were just logged in implicitly via their “remember me” cookie. In the former case, you have stronger authentication. In the latter, you may want to re-authenticate.

Your other use case, i.e. determining whether the user wants to be remembered (later), could be implemented by simply checking for the presence of the “remember me” cookie.

Does that help?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants