WEBVTT 00:00.440 --> 00:10.040 Now sessions eventually expire in PHP, and if you sign in and being authenticated only relies on the 00:10.040 --> 00:10.850 session. 00:10.880 --> 00:15.650 This might mean that your users would have to log in a couple times a day. 00:15.650 --> 00:23.070 It might be enough that they stop using your service or your website for, let's say, an hour or two 00:23.070 --> 00:27.860 hours, and they would have to log in again, which might be very inconvenient. 00:27.920 --> 00:36.770 That's why often with authentication, with logging in, you might see a feature called Remember Me. 00:36.770 --> 00:44.360 And it's supposed to sign you in for longer periods of time, for example, two weeks or maybe even 00:44.360 --> 00:45.500 one month. 00:45.500 --> 00:54.230 And now in the next couple videos, we're going to implement this feature as it is a non-trivial feature. 00:54.260 --> 01:01.010 Let's start for the diagram and the changes that are related to the remember Me feature. 01:01.580 --> 01:04.370 Try and just describe this. 01:04.400 --> 01:08.960 Remember Me feature in a simplistic way. 01:09.680 --> 01:17.240 So we need to go back to this point where we compare the passwords when someone tries to log in. 01:17.270 --> 01:20.720 Now we've got this new feature, Remember Me? 01:20.840 --> 01:28.340 There would be a checkbox and if someone wants his session to be longer, then that's the new things 01:28.340 --> 01:29.930 that we need to add. 01:29.930 --> 01:35.780 So we remember that sessions are temporary by design. 01:35.780 --> 01:43.610 If you have no activity for, let's say, 30 minutes to couple hours, depending on how you have configured 01:43.610 --> 01:48.830 sessions in PHP, well, you will be logged out automatically. 01:48.830 --> 01:50.750 Your session would be destroyed. 01:50.750 --> 01:54.440 Thus there will be no user ID in the session. 01:54.440 --> 01:58.160 It means you will no longer be authenticated. 01:58.730 --> 02:07.100 Now to fight this and let users have longer sessions so they don't have to authenticate a couple times 02:07.100 --> 02:10.650 a day, Today we add this Remember Me feature. 02:10.650 --> 02:20.070 The way it works is we're going to create and store a so-called remember token in the database. 02:20.250 --> 02:22.740 It's going to have an expiry date. 02:22.740 --> 02:24.360 You can customize that. 02:24.390 --> 02:27.540 It can be two weeks or one month. 02:27.720 --> 02:38.040 And additionally to creating and storing such a remember token, which is just an random set of characters, 02:38.040 --> 02:40.290 it is a generated token. 02:40.770 --> 02:42.900 So we're going to store it in a database. 02:42.900 --> 02:46.860 But also we will store such token in a cookie. 02:46.890 --> 02:55.530 So cookies are stored in a browser, and they are always automatically sent with every request by the 02:55.530 --> 02:56.370 browser. 02:56.370 --> 03:00.510 And you can set the expiry date on the cookies as well. 03:00.690 --> 03:10.020 And the way things would work right now to figure out if someone is logged in, we're gonna either try 03:10.050 --> 03:13.140 to get his user ID from the session. 03:13.620 --> 03:15.510 But if that expires. 03:15.510 --> 03:23.250 So the session expires and someone wanted to be remembered, then we're gonna try a second method. 03:23.280 --> 03:26.640 So the token is stored in a cookie. 03:26.700 --> 03:31.530 We're going to use this token and find the database record. 03:32.550 --> 03:36.960 The remember token inside the database using this very token. 03:37.050 --> 03:42.930 And every remember token is always connected to a specific user. 03:42.930 --> 03:46.470 And this is how we're going to fetch the user. 03:46.470 --> 03:51.090 And that's the way we're gonna figure out we are authenticated. 03:51.600 --> 03:59.970 Additionally, for extra security, every single time we retrieve the user by his remember token, we're 03:59.970 --> 04:07.560 gonna rotate this token, meaning we are going to regenerate the token every single time it's being 04:07.560 --> 04:10.890 read to authenticate the user. 04:10.890 --> 04:21.010 And this is just a security Precaution because those who remember my tokens, they are really long lived. 04:21.040 --> 04:23.410 Two weeks or one month. 04:23.440 --> 04:32.440 This is a really long time, and in this time, it's easy that this token could just land in wrong hands 04:32.440 --> 04:39.070 and then someone else can impersonate the user, basically taking over his account. 04:39.100 --> 04:46.900 Now you also need to understand and you need to be aware of this, that this Remember Me feature is 04:46.900 --> 04:52.750 not 100% safe and it is a potential risk. 04:52.750 --> 04:54.670 So nothing's free. 04:54.700 --> 04:56.950 It's just more user convenience. 04:56.950 --> 04:59.980 But there are some risks involved. 04:59.980 --> 05:08.170 That's why we try to or we will try to mitigate the risks by rotating the token. 05:08.800 --> 05:09.190 Okay. 05:09.220 --> 05:15.160 So that was the explanation of what we are going to do and how. 05:15.250 --> 05:18.970 Now let's just start building this feature.