Question posted in 
I am working on an online newspaper/blogging application with CodeIgniter 3.1.8 and Twitter Bootstrap 4. The application, of course, has a login and registration system.
I am currently working on adding a "remember me" functionality to the login form.
In applicationviewsauthlogin.php I have:
<?php echo form_open(base_url('login/login')); ?>
<div class="form-group <?php if(form_error('email')) echo 'has-error';?>">
<input type="text" name="email" id="email" value="<?php if(isset($_COOKIE['userEmail'])) { echo $_COOKIE['userEmail']; } ?>" class="form-control" placeholder="Email">
<?php if(form_error('email')) echo form_error('email'); ?>
</div>
<div class="form-group <?php if(form_error('password')) echo 'has-error';?>">
<input type="password" name="password" id="password" value="<?php if(isset($_COOKIE['userPassword'])) { echo $_COOKIE['userPassword']; } ?>" class="form-control" placeholder="Password">
<?php if(form_error('password')) echo form_error('password'); ?>
</div>
<div class="form-group remember-me">
<input type="checkbox" name="remember_me" value="true" id="remember_me">
<span class="text text-muted">Remember me</span>
</div>
<div class="form-group">
<input type="submit" value="Login" class="btn btn-block btn-md btn-success">
</div>
<?php echo form_close(); ?>
In the controller (applicationcontrollersLogin.php), I have:
public function login() {
$this->form_validation->set_rules('email', 'Email', 'required|trim|valid_email');
$this->form_validation->set_rules('password', 'Password', 'required|trim');
$this->form_validation->set_error_delimiters('<p class="error-message">', '</p>');
if ($this->form_validation->run()) {
$email = $this->input->post('email');
$password = $this->input->post('password');
$this->load->model('Usermodel');
$current_user = $this->Usermodel->user_login($email, $password);
// If we find a user
if ($current_user) {
// If the user found is active
if ($current_user->active == 1) {
$this->session->set_userdata(
array(
'user_id' => $current_user->id,
'user_email' => $current_user->email,
'user_avatar' => $current_user->avatar,
'user_first_name' => $current_user->first_name,
'user_is_admin' => $current_user->is_admin,
'user_active' => $current_user->active,
'is_logged_in' => TRUE
)
);
// Remember me
if (!empty($this->input->post('remember_me'))) {
setcookie ('userEmail', $email, time() + (7 * 24 * 3600));
setcookie ('userPassword', $password, time() + (7 * 24 * 3600));
} else {
setcookie ('userEmail', '');
setcookie ('userPassword','');
}
// After login, display flash message
$this->session->set_flashdata('user_signin', 'You have signed in');
//and redirect to the posts page
redirect('/dashboard');
} else {
// If the user found is NOT active
$this->session->set_flashdata("login_failure_activation", "Your account has not been activated yet.");
redirect('login');
}
} else {
// If we do NOT find a user
$this->session->set_flashdata("login_failure_incorrect", "Incorrect email or password.");
redirect('login');
}
}
else {
$this->index();
}
}
The problem
For a reason I have been unable to spot, even when the remember_me checkbox is NOT checked, the login credentials are still remembered.
UPDATE
I went to applicationconfigconfig.php and replaced $config['sess_expiration'] = 7200 width:
$config['sess_expiration'] = 0;
As a result, the remembering does not happen anymore.
Where is my mistake?
3
Answers
In your authentication checking script check the cookie expiration time too, once expired clear the session variables.
Are you testing with Chrome? I think Chrome remembers the logged in state anyway (you’re still logged in after closing and re-opening the browser), while other browsers, like Firefox, will lose the cookie on re-opening.
You can also test this here: https://demo.fleio.com/