Request long session for frontend login

I’m trying to offer my users a long session option while they are logging in (also known as: keep me logged in).

As a first step I updated my login code as described here:
$user->login($password, $kirby->session(['long' => true]));

…and changed the global durationLong setting to a duration of 5 seconds for testing purposes.

However, when I log in now, I don’t just stay logged in for the 5 seconds. I also stay logged in after minutes, even if I close the tab and reopen it.

Am I missing something here?

That probably doesn’t make sense. Have you read this section about sessions:

Yes, I have, but probably do not understand it right.

There are also so-called “long sessions”. They don’t have a timeout and expire after two weeks by default. The expiry time can be changed with the [session.durationLong option].

What I want is to change the expiry time to 1 week in the end but would like to test it with a much shorter time before. What would be the recommended way to do this with the $user->login() method?

I don’t know. Ping @lukasbestle

The reason why you don’t see the effect for a durationLong value of five seconds is most likely the way you are testing it:

When you visit the Panel login page, Kirby will automatically create a session to store the CSRF token. Because the user has not yet decided whether they want a long or a normal session, the session will for now be of normal length (= two hours). If you then log in to the Panel and check the “keep me logged in” checkbox, Kirby will extend the session duration to the configured value of durationLong – however it will not shorten the duration of an already existing session. So Kirby will use the two hours and not the five seconds. That’s an example with the Panel, but the same most likely also applies to custom login forms (depending on how they are implemented). In any case it’s not supported to have a shorter durationLong than durationNormal.

If you want to verify whether your code works, it’s better to check directly in your browser’s dev tools. In Safari it will for example look like this:

Thanks a lot for the extensive explanation. It all works like you described.

That’s my final line of code for a long session login:
$user->login($password, ['long' => true]);

Awesome! BTW: If you are implementing a frontend login form, it’s better to use the following:

$user = $kirby->auth()->login($email, $password, /* $long = */ true);

The advantage is that this will give you brute-force protection for free.

1 Like