| 1:38 pm on Oct 28, 2011 (gmt 0)|
Look at the session.cookie_lifetime in PHP's runtime configuration
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().
| 1:41 pm on Oct 28, 2011 (gmt 0)|
That is really what a session is (unfortunately)... the browser session expires as the user moves off the site, closes their browser or after about 24 mins (by default under PHP) if left idle (ie. the user does not navigate to another page and refreshes the session in that time period).
You could perhaps combine this with a cookie. If the session has expired, check for this cookie and auto-log-back-in the user. But this auto-login should perhaps not log the user in fully - if the user wants to do something that requires an increased level of security (edit their profile for instance) then prompt for their password and complete a full login. Whether you store a cookie at all could be determined at the users initial login, "[x] Keep me logged in for 1 day" - which is kind of what eBay does I think.
| 2:01 pm on Oct 28, 2011 (gmt 0)|
Note that session.gc_maxlifetime [php.net] (Default 1440 seconds = 24 mins) might expire the session before session.cookie_lifetime, if idle (as mentioned above).
Also, from 16 Tips for Secure Code [viper-7.com]:
|4. Don't extend the PHP session lifetime beyond an hour. If you do need to provide a "Remember Me" function: Generate a unique token, store it in that user's record in your database, and put that token in a cookie. If a user that doesn't have an active session requests a page, check for this token and use it to create a new logged in session for that user. It's a good idea to regenerate this token every time it's used to again ease security issues (unless clients need the ability to stay logged in on multiple computers.) |
| 2:29 pm on Oct 28, 2011 (gmt 0)|
while you're fiddling with sessions and runtime config, take a look at these, too:
they control the expiry of sessions.
(source: same link as above)
you can do a lot just by nudging those numbers up and down
| 4:47 pm on Oct 28, 2011 (gmt 0)|
|I've tried to find a way of setting the sessions to expire at midnight but had no joy. |
What's not explicitly clarified here is that the reason the sessions die when you close the browser is that the PHPSESSID cookie is what connects the browser with the PHP sessionid. It is indeed a session cookie - but in respect to the PHPSESSID cookie itself, it's NOT a PHP session, it's a **browser** session. Close the browser, the cookie dies.
I've never tried this but it **should** work (and, you might be doing the same thing modifying session.cookie_lifetime.) Immediately after setting a new session, set a PHPSESSID cookie with a valid future expiration date, effectively overwriting or updating the PHPSESSID cookie. You'll have to make sure you grab the current session id and rewrite it's value as the value of the cookie. A cookie with a valid future expiration date is a persistent cookie and will not die when you close the browser. To see this, and see if it's working, browse to the place you set the cookie in FireFox then examine the cookies for this domain.
There are two downsides to this, the first being you'll have to pair session_start() and your cookie mod (everywhere you do session_start(), modify the PHPSESSID cookie immediately afterward.) Shouldn't be a big task if you have all that in one place.
The second is although you can force the cookie to "live" beyond the PHP sessions, the server PHP session will still die at around 25 minutes from the last activity. But this should get you around the closed browser issue.