Zend framework Remember Me - working issue

Question

I have used the remember me functionality in my site using the following package : http://www.jasperrooswinkel.com/unexpected-expiration-of-zend_auth-sessions/. It is working fine. But I face a problem that, a deleted user can access accounts just because of stay signed in.

The scenario is as follows:

1. User login after setting keep me logged in.
2. He leave the system shut down without signing out.
3. His account being deleted on that day evening.
4. He takes the site on next day morning.

As he had set stay signed in, he gets his session and he could post a story and do what ever in his account without knowing the fact that his account has got deleted on previous day. Also, I have set remember for 14 days.

Any ideas how to solve this issue?

Thanks

Answer 1

Extending the session's expiration time for more than a few hours is a bad idea for many reasons, not just because you're keeping sessions of deleted users. There's also a performance and security issues related to the fact you're keeping active session (with session_id) in your database / session storage.

See persisted login with Zend_Session::rememberMe.

In any case, you should revalidate your user account on each page load, to make sure his user still exists and active:

I've created a revalidate function which I call on every page load. The function is called from the controller's init() function before the user can do anything.

 public static function revalidate() {
        $userData = self::getIdentity();

        $modelUsers = new \Model_Users();
        $user = $modelUsers->fetchWithEmail($userData['email']);

        if ($user instanceof \Model_User) {
            if ($user->getRoleType() == 'ACCOUNT') {
                return $user;
            }
        }
        return false;
    }

Answer 2

As he had set stay signed in, he gets his session and he could post a story and do what ever in his account without knowing the fact that his account has got deleted on previous day.

When you delete the user, you must delete all of the user's session(s) as well.

Answer 3

In your SESSIONS table in the database, use a foreign key to the USERS table with ON DELETE CASCADE. Or you can do a JOIN on the user table when fetching the session.

Answer 4

When the user leaves his computer and comes back to your website the next day, his Session has long expired. At this point, if you are allowing him to access your website, it is because he chose to be remembered, which you do by setting cookies on the computer.

When you authenticate a user based on cookies, you MUST check the cookie values against a database. Do not, merely, check for the existence of a cookie.

This will fix your issue. Also, it will plug a major security hole where a malicious person can simply, manually create cookies on his computer and use them to get authenticated your website.

Answer 5

You can only check what you check. The moment the session is over and the user deleted and the persistent login procedure kicks in for keeping the user logged in, it needs to verify the user still exists. – hakre

as hakre said i think you must verify user each time he tries to change settings or do something like sending new post or post new comment etc let's try it

Answer 6

This is exactly why you need to setup a session time out for every application/page.

Use ini_set(), to the the session life time

ini_set("session.cookie_lifetime","1800"); //half an hour

Then check if a session is alive at every secured page like

if (!empty(session_id())) {
    header("Location: index.php"); //GO to home page
    exit;
}