@@ -8,10 +8,7 @@ Once a user is authenticated, their credentials are typically stored in the
88session. This means that when the session ends they will be logged out and
99have to provide their login details again next time they wish to access the
1010application. You can allow users to choose to stay logged in for longer than
11- the session lasts using a cookie with the ``remember_me `` firewall option.
12- The firewall needs to have a secret key configured, which is used to encrypt
13- the cookie's content. It also has several options with default values which
14- are shown here:
11+ the session lasts using a cookie with the ``remember_me `` firewall option:
1512
1613.. configuration-block ::
1714
@@ -22,9 +19,8 @@ are shown here:
2219 main :
2320 remember_me :
2421 key : " %secret%"
25- lifetime : 31536000 # 365 days in seconds
22+ lifetime : 604800 # 1 week in seconds
2623 path : /
27- domain : ~ # Defaults to the current domain from $_SERVER
2824
2925code-block :: xml
3026
@@ -33,9 +29,8 @@ are shown here:
3329 <firewall >
3430 <remember-me
3531 key = " %secret%"
36- lifetime = " 31536000 " 365 days in seconds -->
32+ lifetime = " 604800 " 1 week in seconds -->
3733 path = "/"
38- domain = "" <!-- Defaults to the current domain from $_SERVER -->
3934 />
4035 </firewall >
4136 </config >
@@ -48,14 +43,56 @@ are shown here:
4843 'main' => array(
4944 'remember_me' => array(
5045 'key' => '%secret%',
51- 'lifetime' => 31536000 , // 365 days in seconds
46+ 'lifetime' => 604800 , // 1 week in seconds
5247 'path' => '/',
53- 'domain' => '', // Defaults to the current domain from $_SERVER
5448 ),
5549 ),
5650 ),
5751 ));
5852
53+ remember_me `` firewall defines the following configuration options:
54+
55+ ``name ``
56+ (default value: ``REMEMBERME ``) The name of the cookie used to maintain the
57+ user logged in. If you enable the "Remember Me" feature in several firewalls
58+ of the same application, make sure to choose a different name for the cookie
59+ of each firewall. Otherwise, you'll face lots of security related problems.
60+
61+ ``lifetime ``
62+ (default value: ``31536000 ``) The number of seconds during which the user
63+ will remain logged in. By default users are logged in for one year.
64+
65+ ``path ``
66+ (default value: ``/ ``) The path where the cookie associated with this
67+ feature is used. By default the cookie will be applied to the entire website
68+ but you can restrict to a specific section (e.g. ``/forum ``, ``/admin ``).
69+
70+ ``domain ``
71+ (default value: ``null ``) The domain where the cookie associated with this
72+ feature is used. By default cookies use the current domain obtained from
73+ ``$_SERVER ``.
74+
75+ ``secure ``
76+ (default value: ``false ``) If ``true ``, the cookie associated with this
77+ feature is sent to the user through an HTTPS secure connection.
78+
79+ ``httponly ``
80+ (default value: ``true ``) If ``true ``, the cookie associated with this
81+ feature is sent to the user exclusively through an HTTP non-secure connection.
82+
83+ ``remember_me_parameter ``
84+ (default value: ``_remember_me ``) The name of the form field checked to
85+ decide if the "Remember Me" feature should be enabled or not. Keep reading
86+ this article to know how to enable this feature conditionally.
87+
88+ ``always_remember_me ``
89+ (default value: ``false ``) If ``true ``, the value of the ``remember_me_parameter ``
90+ is ignored and the "Remember Me" feature is always enabled, regardless of the
91+ desire of the end user.
92+
93+ Forcing the User to Opt-Out of the Remember Me Feature
94+ ------------------------------------------------------
95+
5996It's a good idea to provide the user with the option to use or not use the
6097remember me functionality, as it will not always be appropriate. The usual
6198way of doing this is to add a checkbox to the login form. By giving the checkbox
0 commit comments