So, you really want the "Remember me on this computer" option? This is not actually related to the OpenID part. Here's a language-agnostic way how you can do this:
First, create a database table with columns of at least cookie_id and user_id . If necessary, also add cookie_ttl and ip_lock . The column names speak for themselves, I think.
When logging in for the first time (if necessary, only with the "Remember Me" option), generate a long, unique, hard-to-reach key (which is in no way connected with the user), which represents cookie_id and saves it to the database along with user_id . Store cookie_id as a cookie value with a known cookie name, e.g. remember . Give your liver a long life, for example. one year.
In each request, check if the user is logged in. If not, check the cookie_id value associated with the cookie remember name. If it is, and it is valid according to the database, then automatically log in to the user associated with user_id and user_id cookie age again, and if there is also cookie_ttl in the database.
In Java / JSP / Servlet conditions, use HttpServletResponse#addCookie() to add a cookie and HttpServletRequest#getCookies() to receive cookies. You can perform all the first checks in Filter , which listens for the necessary resources, for example. /* or perhaps a little more limited.
As for sessions, you do not need it here. It has a shorter life than you need. Use it only to enter a registered user or a “found” user when he has a valid remember cookie. In this way, Filter can simply check its presence in the session and then do not need to check cookies every time.
It's pretty straightforward. Good luck.
See also:
- How to implement "Stay logged in" when a user logs into a web application
- How do servlets work? Create, Sessions, Shared Variables, and Multithreading
BalusC Feb 02 '10 at 17:12 2010-02-02 17:12
source share