homepage Welcome to WebmasterWorld Guest from 54.226.93.128
register, free tools, login, search, subscribe, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Sessions expiring
LinusIT




msg:4380620
 11:26 am on Oct 28, 2011 (gmt 0)

Hi

I've created a system that uses sessions for various different things but I've noticed that the sessions are "dying" as soon as the browser is closed. This means they have to log in again which can be annoying.

I used to use cookies that expired at midnight but changed to sessions as I thought they were more secure. I've tried to find a way of setting the sessions to expire at midnight but had no joy.

What I'd like to achieve is the user logs in and then stays logged into until midnight or the next day.

Any ideas please?

 

httpwebwitch




msg:4380668
 1:38 pm on Oct 28, 2011 (gmt 0)

Look at the session.cookie_lifetime in PHP's runtime configuration

[php.net...]

session.cookie_lifetime integer

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().

penders




msg:4380669
 1:41 pm on Oct 28, 2011 (gmt 0)

That is really what a session is (unfortunately)... the browser session expires as the user moves off the site, closes their browser or after about 24 mins (by default under PHP) if left idle (ie. the user does not navigate to another page and refreshes the session in that time period).

You could perhaps combine this with a cookie. If the session has expired, check for this cookie and auto-log-back-in the user. But this auto-login should perhaps not log the user in fully - if the user wants to do something that requires an increased level of security (edit their profile for instance) then prompt for their password and complete a full login. Whether you store a cookie at all could be determined at the users initial login, "[x] Keep me logged in for 1 day" - which is kind of what eBay does I think.

penders




msg:4380678
 2:01 pm on Oct 28, 2011 (gmt 0)

Note that session.gc_maxlifetime [php.net] (Default 1440 seconds = 24 mins) might expire the session before session.cookie_lifetime, if idle (as mentioned above).

Also, from 16 Tips for Secure Code [viper-7.com]:
4. Don't extend the PHP session lifetime beyond an hour. If you do need to provide a "Remember Me" function: Generate a unique token, store it in that user's record in your database, and put that token in a cookie. If a user that doesn't have an active session requests a page, check for this token and use it to create a new logged in session for that user. It's a good idea to regenerate this token every time it's used to again ease security issues (unless clients need the ability to stay logged in on multiple computers.)

httpwebwitch




msg:4380687
 2:29 pm on Oct 28, 2011 (gmt 0)

while you're fiddling with sessions and runtime config, take a look at these, too:

session.gc_probability
session.gc_divisor
session.gc_maxlifetime

they control the expiry of sessions.

(source: same link as above)

you can do a lot just by nudging those numbers up and down

rocknbil




msg:4380736
 4:47 pm on Oct 28, 2011 (gmt 0)

I've tried to find a way of setting the sessions to expire at midnight but had no joy.


What's not explicitly clarified here is that the reason the sessions die when you close the browser is that the PHPSESSID cookie is what connects the browser with the PHP sessionid. It is indeed a session cookie - but in respect to the PHPSESSID cookie itself, it's NOT a PHP session, it's a **browser** session. Close the browser, the cookie dies.

I've never tried this but it **should** work (and, you might be doing the same thing modifying session.cookie_lifetime.) Immediately after setting a new session, set a PHPSESSID cookie with a valid future expiration date, effectively overwriting or updating the PHPSESSID cookie. You'll have to make sure you grab the current session id and rewrite it's value as the value of the cookie. A cookie with a valid future expiration date is a persistent cookie and will not die when you close the browser. To see this, and see if it's working, browse to the place you set the cookie in FireFox then examine the cookies for this domain.

There are two downsides to this, the first being you'll have to pair session_start() and your cookie mod (everywhere you do session_start(), modify the PHPSESSID cookie immediately afterward.) Shouldn't be a big task if you have all that in one place.

The second is although you can force the cookie to "live" beyond the PHP sessions, the server PHP session will still die at around 25 minutes from the last activity. But this should get you around the closed browser issue.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved