Doing a project for a client. They want user’s to be remembered, i.e., logged in automatically. That seems dumb and difficult. But, they want us to recognize the user and log them in.
Since there is woocommerce installed, I can’t really mess with the sessions, eh?
Seems like once they register, you’d have to create a uniqueID and stuff it into a database table, and set it in a cookie (correlated with the username/pwd).
Then when a visitor arrives, you check if logged in (WP), and let them go, if so. If not logged in, you check for the cookie, and then log them in. Of course, this is severely hacker prone, eh?
The default behavior is generous enough. I can’t imagine wanting to extend it, especially if commerce is involved. I’m unfamiliar with woocommerce, I would hope the little remember me check box is removed. That essentially invokes an auto login condition as long as the user doesn’t explicitly logout and returns within a certain time frame. Possibly OK for a blog, but not for commerce.
In any case, it shouldn’t be too hard to extend the remember me time frame, but whether it can be done without a core hack, I don’t know. Of course, it’s not a true auto login since if the user logs out, they have to manually log in again. But that is as it should be. As a user, I would freak if I explicitly logged out of a site, only to return the next day and find I’m still logged in. So there is no need to replicate user management functions, simply significantly extend the time frame used by the current user management functions. (At your client’s peril)
Yes, login based on cookie existence is a security risk. Even session cookies are a risk. It’s easy to imagine a situation where a user fails to properly end their session, leaving their access open for anyone that happens by. Commerce sites need to strengthen WP access, not loosen it!
- The topic ‘User Session or Cookie’ is closed to new replies.