I have used the remember me functionality in my site using the following package : http://www.jasperrooswinkel.com/unexpected-expiration-of-zend_auth-sessions/. It is working fine. But I face a problem that, a deleted user can access accounts just because of stay signed in.
The scenario is as follows:
As he had set stay signed in, he gets his session and he could post a story and do what ever in his account without knowing the fact that his account has got deleted on previous day. Also, I have set remember for 14 days.
Any ideas how to solve this issue?
Thanks
Extending the session's expiration time for more than a few hours is a bad idea for many reasons, not just because you're keeping sessions of deleted users. There's also a performance and security issues related to the fact you're keeping active session (with session_id) in your database / session storage.
See persisted login with Zend_Session::rememberMe.
In any case, you should revalidate your user account on each page load, to make sure his user still exists and active:
I've created a revalidate function which I call on every page load. The function is called from the controller's init() function before the user can do anything.
public static function revalidate() {
$userData = self::getIdentity();
$modelUsers = new \Model_Users();
$user = $modelUsers->fetchWithEmail($userData['email']);
if ($user instanceof \Model_User) {
if ($user->getRoleType() == 'ACCOUNT') {
return $user;
}
}
return false;
}