A unique token is saved as a cookie when you log in.
A matching token is stored on a table user_tokens
for your profile on this domain on this device.
If all these tokens match up when you return to the site, you will be automatically logged in.
Note: You should always click the option to remove these cookies from any device,
if this device is not a private device.
Every time you login using the login form,
the system saves a unique token on the DB and a matching token as a cookie on the device
you used to login.
Auto-Login & Login Redirects
When you are not logged in, for example on the first page visit of a session,
the PHP engine adds a JS function to the page ready JS code.
This extracts any saved login cookie and passes it by redirect to
The PHP script ajax-login.php has been DEPRECATED.
Cookies are now saved in biscuits-login.js
These cookies are matched with the token saved in the database.
The php engine detects that you have no session variables set
and assumes that you have just arrived.
In this case the engine sets up a JS function to run on document.ready called
These tokens will NOT contain any authentication information
such as passwords or usernames.
But the token will be a unique string that should match a record on the server database.
Note: if this is not a new session.
This process ends here and the previous session continues
Control is redirected to the server PHP via a URL /member/login/SERVER_TOKEN
where the matching to the database is attempted.
Note: This URL /member/login will result in the login form ( view form-login.php) if no token is in the URL
The tokens are checked
ENGINE->memberDB->loginAttempt($username, $password, $token);
checks the tokens that were previously created by ENGINE->memberDB->createServerToken()
(This only generated a unique token string )
ENGINE->memberDB->setServerToken() saves the generated token to the DB
You should logoff first The cookie is updated with a new token value every time you submit the login form.
A fault was discovered with this token cookie. If you login on another device, the new token will match
this new device but the old device will still have a cookie that no longer matches your server_token.
A successful auto-login will take you to a recent page and show your username at the top of the page.
Auto login is based on cookies saved on the visitors computer.
These cookies can optionally save the username and password.
Auto-login only occurs when you visit the first page of a session.
You can clear your session and start a new session by
Every visitor has a SESSION PROFILE
Even guests will have a profile with userid = 1.
If the first page visit finds an empty session profile.
label in the engine.
This shows that the auto-login should be attempted.
( if the SESSION PROFILE exists then no auto-login is requried,
as the user is already logged on or has been assigned as a guest user. )
Add the biscuits-login.js script to the page.
( In the recent versions, all scripts in the /js directory of the application area
are added every time)
Run the js function auto-login()
This will pick up any login cookies and redirect to