Change 'remember me' for login from binary choice to custom interval

2025-08-05 15:47:25 +02:00 · 2016-12-04 17:05:57 +01:00
parent f486ab6763
commit 07732dcaa9
3 changed files with 38 additions and 11 deletions
--- a/README.md
+++ b/README.md
@@ -95,8 +95,17 @@ If you don't want to perform email verification, just omit the last parameter to
 ### Sign in an existing user (login)

 ```php
+if ($_POST['remember'] == 1) {
+    // keep logged in for one year
+    $rememberDuration = (int) (60 * 60 * 24 * 365.25);
+}
+else {
+    // do not keep logged in after session ends
+    $rememberDuration = null;
+}
+
 try {
-    $auth->login($_POST['email'], $_POST['password'], ($_POST['remember'] == 1));
+    $auth->login($_POST['email'], $_POST['password'], $rememberDuration);

    // user is logged in
 }
@@ -118,7 +127,7 @@ The third parameter controls whether the login is persistent with a long-lived c

 *Without* the persistent login, which is the *default* behavior, a user will only stay logged in until they close their browser, or as long as configured via `session.cookie_lifetime` and `session.gc_maxlifetime` in PHP.

-Set the third parameter to `false` to disable the feature. Otherwise, ask the user if they want to enable "remember me". This is usually done with a checkbox in your user interface. Use the input from that checkbox to decide between `false` and `true` here. This is optional and the default is `false`.
+Omit the third parameter or set it to `null` to disable the feature. Otherwise, ask the user if they want to enable "remember me". This is usually done with a checkbox in your user interface. Use the input from that checkbox to decide between `null` and a pre-defined duration in seconds here, e.g. `60 * 60 * 24 * 365.25` for one year.

 ### Perform email verification

--- a/src/Auth.php
+++ b/src/Auth.php
@@ -263,13 +263,13 @@ class Auth {
 	 *
 	 * @param string $email the user's email address
 	 * @param string $password the user's password
-	 * @param bool $remember whether to keep the user logged in ("remember me") or not
+	 * @param int|bool|null $rememberDuration (optional) the duration in seconds to keep the user logged in ("remember me"), e.g. `60 * 60 * 24 * 365.25` for one year
 	 * @throws InvalidEmailException if the email address was invalid or could not be found
 	 * @throws InvalidPasswordException if the password was invalid
 	 * @throws EmailNotVerifiedException if the email address has not been verified yet via confirmation email
 	 * @throws AuthError if an internal problem occurred (do *not* catch)
 	 */
-	public function login($email, $password, $remember = false) {
+	public function login($email, $password, $rememberDuration = null) {
 		$email = self::validateEmailAddress($email);
 		$password = self::validatePassword($password);

@@ -294,8 +294,16 @@ class Auth {
 				if ($userData['verified'] === 1) {
 					$this->onLoginSuccessful($userData['id'], $email, $userData['username'], false);

-					if ($remember) {
-						$this->createRememberDirective($userData['id']);
+					// continue to support the old parameter format
+					if ($rememberDuration === true) {
+						$rememberDuration = 60 * 60 * 24 * 28;
+					}
+					elseif ($rememberDuration === false) {
+						$rememberDuration = null;
+					}
+
+					if ($rememberDuration !== null) {
+						$this->createRememberDirective($userData['id'], $rememberDuration);
 					}

 					return;
@@ -365,13 +373,14 @@ class Auth {
 	 * Creates a new directive keeping the user logged in ("remember me")
 	 *
 	 * @param int $userId the user ID to keep signed in
+	 * @param int $duration the duration in seconds
 	 * @throws AuthError if an internal problem occurred (do *not* catch)
 	 */
-	private function createRememberDirective($userId) {
+	private function createRememberDirective($userId, $duration) {
 		$selector = self::createRandomString(24);
 		$token = self::createRandomString(32);
 		$tokenHashed = password_hash($token, PASSWORD_DEFAULT);
-		$expires = time() + 3600 * 24 * 28;
+		$expires = time() + ((int) $duration);

 		try {
 			$this->db->insert(
--- a/tests/index.php
+++ b/tests/index.php
@@ -38,8 +38,17 @@ function processRequestData(\Delight\Auth\Auth $auth) {
 	if (isset($_POST)) {
 		if (isset($_POST['action'])) {
 			if ($_POST['action'] === 'login') {
+				if ($_POST['remember'] == 1) {
+					// keep logged in for one year
+					$rememberDuration = (int) (60 * 60 * 24 * 365.25);
+				}
+				else {
+					// do not keep logged in after session ends
+					$rememberDuration = null;
+				}
+
 				try {
-					$auth->login($_POST['email'], $_POST['password'], ($_POST['remember'] == 1));
+					$auth->login($_POST['email'], $_POST['password'], $rememberDuration);

 					return 'ok';
 				}
@@ -248,8 +257,8 @@ function showGuestUserForm() {
 	echo '<input type="text" name="email" placeholder="Email" /> ';
 	echo '<input type="text" name="password" placeholder="Password" /> ';
 	echo '<select name="remember" size="1">';
-	echo '<option value="0">Remember (28 days)? — No</option>';
-	echo '<option value="1">Remember (28 days)? — Yes</option>';
+	echo '<option value="0">Remember (keep logged in)? — No</option>';
+	echo '<option value="1">Remember (keep logged in)? — Yes</option>';
 	echo '</select> ';
 	echo '<button type="submit">Login</button>';
 	echo '</form>';