laravel-impersonate icon indicating copy to clipboard operation
laravel-impersonate copied to clipboard

Published 20 hours ago verified publisher icon 404labfr

Set remember me token expire date to 1 year

Open DanielGSoftware opened this issue 1 year ago • 5 comments

When you stop impersonating a user, the expire date of the remember token gets set to session. image

This means that when you close the browser and the session ends, the remember me token is gone, and the user has to log in again (that is if the Laravel session expired). Setting the remember me token to a date will keep the remember token when the browser closes, and the user will still be logged in.

DanielGSoftware avatar Sep 01 '22 12:09 DanielGSoftware

The expiration date is now hardcoded to 1 year, if a user would like to change this, he has no way of doing that. Perhaps it's a good idea to maybe add it to the config file or add a param to the leave method (with a default value).

Using config file in laravel-impersonate.php



/**
 * The expiration date in minutes for the remember me token after leaving an impersonation.
 * Default is 1 year.
 */
'remember_me_expiration' => 525600,

ImpersonateManager.php

$this->app['cookie']->queue($session[0], $session[1], config('laravel-impersonate.remember_me_expiration'));

Passing time through leave

// Changed line
 public function leave(int $expireTime = 525600): bool
    {
        try {
            $impersonated = $this->app['auth']->guard($this->getImpersonatorGuardUsingName())->user();
            $impersonator = $this->findUserById($this->getImpersonatorId(), $this->getImpersonatorGuardName());

            $this->app['auth']->guard($this->getCurrentAuthGuardName())->quietLogout();
            $this->app['auth']->guard($this->getImpersonatorGuardName())->quietLogin($impersonator);

           // Changed line
            $this->extractAuthCookieFromSession($expireTime);

            $this->clear();

        } catch (\Exception $e) {
            unset($e);
            return false;
        }

        $this->app['events']->dispatch(new LeaveImpersonation($impersonator, $impersonated));

        return true;
    }


// Changed line
 protected function extractAuthCookieFromSession(int $expireTime): void
    {
        if (!$session = $this->findByKeyInArray(session()->all(), static::REMEMBER_PREFIX)->first()) {
            return;
        }

        // Changed line
        $this->app['cookie']->queue($session[0], $session[1], $expireTime);
        session()->forget($session);
    }

Would you have a preference?

DanielGSoftware avatar Sep 01 '22 13:09 DanielGSoftware

I think I would prefer the config file version, this isn't something that needs to be set on a case by base bases so a config value should work fine.

Arne1303 avatar Sep 01 '22 16:09 Arne1303

I agree, config would make more sense, I'll adjust the code.

DanielGSoftware avatar Sep 02 '22 13:09 DanielGSoftware

Hi, any update on this?

DanielGSoftware avatar Feb 01 '23 10:02 DanielGSoftware

I've occasionally run into this remember-token confusion. I hadn't investigated, but it looks like your proposal probably solves that. Thanks for that.

One year is probably fine.

Perhaps there's value in simply checking what the intended guard's "forever" length is set to, and using that?

The default "forever" length for Laravel 9+ is 400 days (per standards). (Prior to that it was 5 years.): https://github.com/laravel/framework/pull/43806 https://github.com/laravel/framework/pull/44026

drbyte avatar Apr 28 '23 21:04 drbyte