Msg#: 4380618 posted 11:26 am on Oct 28, 2011 (gmt 0)
I've created a system that uses sessions for various different things but I've noticed that the sessions are "dying" as soon as the browser is closed. This means they have to log in again which can be annoying.
What I'd like to achieve is the user logs in and then stays logged into until midnight or the next day.
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().
Msg#: 4380618 posted 1:41 pm on Oct 28, 2011 (gmt 0)
That is really what a session is (unfortunately)... the browser session expires as the user moves off the site, closes their browser or after about 24 mins (by default under PHP) if left idle (ie. the user does not navigate to another page and refreshes the session in that time period).
You could perhaps combine this with a cookie. If the session has expired, check for this cookie and auto-log-back-in the user. But this auto-login should perhaps not log the user in fully - if the user wants to do something that requires an increased level of security (edit their profile for instance) then prompt for their password and complete a full login. Whether you store a cookie at all could be determined at the users initial login, "[x] Keep me logged in for 1 day" - which is kind of what eBay does I think.
4. Don't extend the PHP session lifetime beyond an hour. If you do need to provide a "Remember Me" function: Generate a unique token, store it in that user's record in your database, and put that token in a cookie. If a user that doesn't have an active session requests a page, check for this token and use it to create a new logged in session for that user. It's a good idea to regenerate this token every time it's used to again ease security issues (unless clients need the ability to stay logged in on multiple computers.)
Msg#: 4380618 posted 4:47 pm on Oct 28, 2011 (gmt 0)
I've tried to find a way of setting the sessions to expire at midnight but had no joy.
What's not explicitly clarified here is that the reason the sessions die when you close the browser is that the PHPSESSID cookie is what connects the browser with the PHP sessionid. It is indeed a session cookie - but in respect to the PHPSESSID cookie itself, it's NOT a PHP session, it's a **browser** session. Close the browser, the cookie dies.
I've never tried this but it **should** work (and, you might be doing the same thing modifying session.cookie_lifetime.) Immediately after setting a new session, set a PHPSESSID cookie with a valid future expiration date, effectively overwriting or updating the PHPSESSID cookie. You'll have to make sure you grab the current session id and rewrite it's value as the value of the cookie. A cookie with a valid future expiration date is a persistent cookie and will not die when you close the browser. To see this, and see if it's working, browse to the place you set the cookie in FireFox then examine the cookies for this domain.
There are two downsides to this, the first being you'll have to pair session_start() and your cookie mod (everywhere you do session_start(), modify the PHPSESSID cookie immediately afterward.) Shouldn't be a big task if you have all that in one place.
The second is although you can force the cookie to "live" beyond the PHP sessions, the server PHP session will still die at around 25 minutes from the last activity. But this should get you around the closed browser issue.