XF 1.4 Does XF still uses xf_user cookie?

Nuno

Nuno

Well-known member
Hello,

I'm trying to configure nginx to cache pages for guest and in my readings I found a reference to xf_user cookie, but I don't see it in my headers, both as a guest or as a member.

Where does Xf stores login session? How can I identify guests/members by they cookies?

Thanks
 
Sort by date Sort by votes
You can't truly identify a guest vs member via cookie. It's only stored in a session.

The presence of the user cookie would tell you they're not a guest (but the lack of it doesn't tell you they're a guest).
 
Upvote 0 Downvote
Thank Mike,

Would be nice tho have a way to identify guests/members with a cookie, this way we would easily map a variable in nginx to cache guests pages :)
 
Upvote 0 Downvote
Thanks RoldanLT

Forcing stay connected is dangerous when the user shares his device with others, but will do.
 
Last edited:
Upvote 0 Downvote
RoldanLT said:
You can use this addon: https://xenforo.com/community/resources/remove-stay-logged-in.2444/
Or do it manually on templates.

Then you can now identify guest vs login user ;).
I have this implementation for more than a year now with nginx fastcgi_cache.
Click to expand...
While this does the job, after playing around with it a little, I noticed a user can delete the "xf_user" cookie (be it malicious or not) and still remain logged in, caching pages with their information.

Therefore, I went ahead and created an add-on (Logged In Cookie) that would be better suited for this use case (caching), by creating a "xf_logged_in" cookie, that will display the page as a guest if not present to avoid what I mentioned above. It also gives users the added benefit of being able to chose if they want to stay logged in or not.
 
Upvote 0 Downvote
RastaLulz said:
Therefore, I went ahead and created an add-on (Logged In Cookie) that would be better suited for this use case (caching), by creating a "xf_logged_in" cookie, that will display the page as a guest if not present to avoid what I mentioned above. It also gives users the added benefit of being able to chose if they want to stay logged in or not.
Click to expand...
Very impressive!
Thanks a lot (y)
 
Upvote 0 Downvote
RastaLulz said:
While this does the job, after playing around with it a little, I noticed a user can delete the "xf_user" cookie (be it malicious or not) and still remain logged in, caching pages with their information.

Therefore, I went ahead and created an add-on (Logged In Cookie) that would be better suited for this use case (caching), by creating a "xf_logged_in" cookie, that will display the page as a guest if not present to avoid what I mentioned above. It also gives users the added benefit of being able to chose if they want to stay logged in or not.
Click to expand...

Thanks @RastaLulz
 
Upvote 0 Downvote
You must log in or register to reply here.

Similar threads

yar
Not a bug remember_cookie from /api/auth/from-session and xf_user cookie
Replies
4
Views
450
yar
yar
Mouth
  • Question Question
enhances search still uses xf_search_index table?
Replies
4
Views
2K
Mouth
Mouth
Back
Top Bottom