I've noticed after a few days, identity variable still exists (as I checked "remember" checkbox), but $_SESSION data vanishes. I discovered this because I have a Condition that checks:
I've also noticed Security Login creates its own cookie instead of using the session cookie, and that may explain the difference why one vanishes sooner than the other. It seems the session cookies only last until the browser is closed, but the security identity cookie stays e.g. 30 days as defined in the configuration.
Sessions are only available for a single browser session. The remember me option stores an extra security cookie with your login information so that it logs you in again after a session was expired. The previous session data will then of course be gone since you have a new login. This is expected behavior, session data is only temporary during the browser session.
What way do you propose to store data in a cookie that should last the same life as the security identity cookie and is equally secure against user-tampering?
And is there a way to renew those cookies at a later date so I can extend their expiration date?
The security measure I'm implementing doesn't allow loading such critical data based on identity alone. The data has to be loaded on login and stick for the entirety of the security identity "session"
E.g. on password change, the session guard is incremented, and any logged-in session with the old value is logged out
You can configure sessions to exist longer, the session timeout can be configured and you could overwrite the cookie settings for the sessions to last longer. If you do not use the remember me option with login it will only last as long as the session. The remember me sets an extra cookie that does auto logins the user after his session was expired, so a new login session is started.
Another option is to check the identity before the security provider, if it isn't set then the previous session was expired. If it then gets past the security provider you know that it's a new login.
