Thread

Not sure if it’s a bug or desired behaviour, but the remember me feature is not working properly for me when using this function across multiple computers/browsers.

As far as I could trace it, the cookie is set upon login and at the same time the same key is stored in the database. If I log in with another browser and ask it to remember me as well, the same thing happens rendering the first remember me cookie (in the other browser) useless since it does not correspond to the new key in the database anymore and requiring me to log in again after the session expires.

This only occurred after upgrading to 2.2.1, it worked fine when I was on 2.1.4. I’m using my site from many different locations during the day (home/work/laptop plus different browsers during development/testing) and find it rather annoying having to log in every time, several times a day.

Have I overlooked any (new) configuration properties that would fix my problem? Or is this indeed a bug and should be reported as such? Or will I need to create a custom login method for myself in order to have this feature working across multiple browsers?

Hey planespotter,

Welcome to the forums!

Since the “Remember Me” feature makes use of a browser’s cookies in order to keep you logged in, it will necessarily only work if you continue to use the same browser. Browsers manage their own sessions anyway, so if I log in right now to my EE site on Safari and then move over to Chrome, Chrome wouldn’t see me as logged in.

When you say, “multiple browsers” are you just referring to separate browser windows or actually different browsers?

I’m referring to actually different browsers, not browser windows, for example Firefox and Chrome. Of course, they are not aware of sessions in the other browser but the “Remember me” feature is something I expect to work on any machine/browser once the cookie is set. Like mentioned above, the remember me key is re-generated on every log in, so any previously set remember me cookies in different browsers will loose their purpose.

To be honest, I do not see any sense in re-generating the key on every login if there is already one set in the database for the user. So for my purpose, I fixed the system/expressionengine/libraries/Auth.php around line 595 by adding a simple check:

if ($this->member('remember_me'))
{
    $remember = $this->member('remember_me');
}
else
{
    $remember = $this->EE->functions->random('unique', 32);
}

It’s working well for me so far but surely not the most future-proof way to do it.

That’s definitely not expected behavior, and you shouldn’t require that hack. (And like you said, hacking the core makes it difficult to upgrade later.)

I’m unable to reproduce the problem on my end, so be on the lookout for an email from me. I’ll need you to remove that hack before I login, too.

Thanks!

Thank you, that is awesome support!

Removed the hack, so feel free to dig around.

Edit: Just to clarify, the session in another browser is not instantly terminated when I log in from a second browser. Just the remember me cookie in each browser holds a different key while the remember_me column in the members table in the database saves only the last generated key. So you will only need to log in again from the first browser after the session has timed out. Could be reproduced by manually deleting the session data from the database, thus forcing the session class to fallback to the remember me cookie which will fail to retrieve the member data due to the key inconsistency as mentioned above.

Ah, thanks for the second explanation. I see what you’re talking about now.

Since the DB just stores a single “remember me” code, anytime that code is regenerated (through a new login on a new browser or whatnot), the “remember me” code stored in the cookies set by all other browser will no longer match up. So yes, you’ve identified exactly why it doesn’t behave the way you’d like, but unfortunately, that is the expected behavior.

I can totally see your point though, so I’d recommend posting it as a Feature Request for a more long term solution. If you’d like to hack the core for now, that works, but just be aware that we can’t support systems that hack the core, and any upgrades applied to your system will probably break the hack.

That’s a good looking solution, though! I’d link to it from the Feature Request post, since the devs might be willing to just pull that into the core!

Thank you for clearing that up that it is indeed the intended behaviour. Will keep my hack for now though and keep an eye on it when updating in the future.

I created a feature request as suggested which can be found here http://ellislab.com/forums/viewthread/195348/ Came across a few more issues that might be good to fix. As stated there, I would be happy to assist.

Awesome, thanks so much! This kind of input and effort is why the EE community is so wonderful. I’ll make sure the developers see it!

Is it alright with you if I close this thread up?

Sure, go ahead. Certainly solved for now.

Closing. Feel free to start a new thread if you have any more questions.