Remember me

[LorenzBischof]

Hello,
After investigating how to build persistent session storage I came across this:
http://framework.zend.com/manual/1.12/en/zend.session.global_session_management.html#zend.session.global_session_management.rememberme
Is this secure? Woudn't it be better to store a hash in a cookie and authenticate with that? I am reluctant to build this myself because there are so many security issues that I would need to be aware of.

What are your thoughts on this?

Thanks

[jeremykendall]

Not a security threat, IMO, as long as you're not adding sensitive information in client side cookies. `` is an excellent tool for helping ensure your php.ini cookie settings are secure. This is especially true if you're only storing your session id in a cookie.

The example implementation is a bit ahead of the current stable version of Slim Auth and demonstrates the use of the Zend\Session remember me feature, although it's from ZF2 rather than ZF1: https://github.com/jeremykendall/slim-auth-impl/blob/master/public/index.php#L37