FEU Remember Me option

[superwad]

I'm just curious as to how the FEU's "Remember Me" is supposed to work.  I've been getting reports that it's not actually remembering a user.  I tried this myself, and found out that it remembers the login only while the browser window remains open.  Once the browser is cleared and the user tries to access the area again, they are forced to log in again.  I have the option set to not allow duplicate logins, so they need to wait until the session expires on the site before they can login again.

Any ideas how to fix this?

[meiriem]

Here the same problem (FEU 1.5.3). I added a name in FEU-admin for the cookie remember-me.

The solution (in my case):

1. in FEU/action.logout.php I comment out line 45:
//$this->_AttemptInvalidateLoginCookie();
For some reason this function deletes the cookie remember-me at a logout. 

2. Next a warning came up regarding the mcrypt_ecb function. I suppressed this warning with a @ in FrontEndUsers.module.php on line 1598.

Now it works.

[kendo451]

It works, but you probably just created a security vulnerability.

[superwad]

Then how would I get this feature to work?  The users do need this option to be enabled, but I'd rather not create extra work for myself in the long run by introducing a security breach.

[kendo451]

Put in a bug report for FEU module in the CMSMS Forge. They will fix it pretty fast in the SVN version.

[superwad]

Ok, so I've finally upgraded to the latest FEU and CMSMS.  This function still does not work.

From what I can gather, the cookie is properly being set by the system.  However, when I visit either my login page or any of the pages that I've "locked down" so only logged in users can access them, I still can't access them.  I've confirmed the cookie is properly set by checking the cookie status after logging in with the Remember Me feature disabled and disabled.  One particular cookie is only set when the option is enabled.

I suppose I might be convinced it is the way I'm doing the "logged in" checking on my protected pages, except that when I visit my login page, I'm still allowed to attempt a login, even though I have the cookie set and should still be registered as logged in by the system.  Granted, my login page only includes the FEU login form, but that login form should probably have some sort of checking that only displays the form if the user really can log in.

In case I'm doing anything wrong, here is the method I'm using to determine if a user is logged in:

Code: Select all

{capture assign='allowed'}{permission}{/capture}
{if $allowed == 'true'}
<!-- the content -->
{else}
<!-- can't access -->
{/if}

The "permission" UDT looks like:

Code: Select all

global $gCms;

$cmsmodules = $gCms->modules;
$feusers = $cmsmodules['FrontEndUsers']['object'];
$userID = $feusers->LoggedInId();
$groupID = $feusers->GetGroupID($feusers->GetMemberGroups($userID));
$logged_in = !(!$userID || $userID <= 0);

if (!$logged_in) { echo "false"; }
else if ((($groupID == '3') || ($groupID == '4') || ($groupID == '5') || ($groupID == '11') || ($groupID == '13') || ($groupID == '15') || ($groupID == '17') || ($groupID == '19')) && ($logged_in)) { echo "true"; }
else { echo $groupID; }

I'm really at my wits end here.  Is there some FEU hook that I should be looking at?  Is there a way with the FEU API to check the cookie status and bypass entirely the permission UDT that I banged together?

Please, any help with this would be invaluable.  This functionality really does need to work, and ideally I'd like it to be core with FEU, but I'll hack around it until it works if need be.

Thank you.

[JeremyBASS]

I'll confirm that the remember me does not work in all versions since at least a year ago, and this is on many different host and set ups, from Rackspace to godaddy... ...

Have you placed a bug report...?

cheers
jeremyBass

[superwad]

I put in a bug report in August.  At the end of January, I posted again, and Robert Campbell told me to try the latest version.  I tried it and posted back in the bug, and updated this thread.

Hopefully between the both of them we can get this feature working properly again.

[namloc]

bumping this one as I have confirmed that mcrypt is loaded and detected by

if(function_exists('mcrypt_module_open')) echo "mcrypt exists"; 

but remember me function is not active

Colman

[namloc]

fourn that by setting field cookiename in sitepref table in db to non NULL the remember me checkbox appears and a cookie of the name is set appears in my cookie list

expiry of this cookie is very short however so next task is to extend the expiry time

[kissack]

fourn that by setting field cookiename in sitepref table in db to non NULL the remember me checkbox appears and a cookie of the name is set appears in my cookie list

expiry of this cookie is very short however so next task is to extend the expiry time

Thanks for this, I look forward to hearing how you get on with extending the time too

[manuel]

Dear all,

I've posted my efforts to analyse/fix this here:
http://forum.cmsmadesimple.org/index.ph ... #msg238297

ps: kissack & namloc, i haven't tested if these changes take effect but normally the cookie session timeout is defined in "Frontend User Management" > "Preferences" > "Session Timeout (seconds):"

Greetings,
Manuel

[manuel]

got it fixed for me... seems it was a case of "didn't calmly read all the settings before diving in to the mysql" 
http://forum.cmsmadesimple.org/index.ph ... #msg238423

Greetings,
Manuel