homepage Welcome to WebmasterWorld Guest from 23.22.173.58
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Sessions expiring
LinusIT



 
Msg#: 4380618 posted 11:26 am on Oct 28, 2011 (gmt 0)

Hi

I've created a system that uses sessions for various different things but I've noticed that the sessions are "dying" as soon as the browser is closed. This means they have to log in again which can be annoying.

I used to use cookies that expired at midnight but changed to sessions as I thought they were more secure. I've tried to find a way of setting the sessions to expire at midnight but had no joy.

What I'd like to achieve is the user logs in and then stays logged into until midnight or the next day.

Any ideas please?

 

httpwebwitch

WebmasterWorld Administrator httpwebwitch us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4380618 posted 1:38 pm on Oct 28, 2011 (gmt 0)

Look at the session.cookie_lifetime in PHP's runtime configuration

[php.net...]

session.cookie_lifetime integer

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0. See also session_get_cookie_params() and session_set_cookie_params().

penders

WebmasterWorld Senior Member penders us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4380618 posted 1:41 pm on Oct 28, 2011 (gmt 0)

That is really what a session is (unfortunately)... the browser session expires as the user moves off the site, closes their browser or after about 24 mins (by default under PHP) if left idle (ie. the user does not navigate to another page and refreshes the session in that time period).

You could perhaps combine this with a cookie. If the session has expired, check for this cookie and auto-log-back-in the user. But this auto-login should perhaps not log the user in fully - if the user wants to do something that requires an increased level of security (edit their profile for instance) then prompt for their password and complete a full login. Whether you store a cookie at all could be determined at the users initial login, "[x] Keep me logged in for 1 day" - which is kind of what eBay does I think.

penders

WebmasterWorld Senior Member penders us a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



 
Msg#: 4380618 posted 2:01 pm on Oct 28, 2011 (gmt 0)

Note that session.gc_maxlifetime [php.net] (Default 1440 seconds = 24 mins) might expire the session before session.cookie_lifetime, if idle (as mentioned above).

Also, from 16 Tips for Secure Code [viper-7.com]:
4. Don't extend the PHP session lifetime beyond an hour. If you do need to provide a "Remember Me" function: Generate a unique token, store it in that user's record in your database, and put that token in a cookie. If a user that doesn't have an active session requests a page, check for this token and use it to create a new logged in session for that user. It's a good idea to regenerate this token every time it's used to again ease security issues (unless clients need the ability to stay logged in on multiple computers.)

httpwebwitch

WebmasterWorld Administrator httpwebwitch us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4380618 posted 2:29 pm on Oct 28, 2011 (gmt 0)

while you're fiddling with sessions and runtime config, take a look at these, too:

session.gc_probability
session.gc_divisor
session.gc_maxlifetime

they control the expiry of sessions.

(source: same link as above)

you can do a lot just by nudging those numbers up and down

rocknbil

WebmasterWorld Senior Member rocknbil us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 4380618 posted 4:47 pm on Oct 28, 2011 (gmt 0)

I've tried to find a way of setting the sessions to expire at midnight but had no joy.


What's not explicitly clarified here is that the reason the sessions die when you close the browser is that the PHPSESSID cookie is what connects the browser with the PHP sessionid. It is indeed a session cookie - but in respect to the PHPSESSID cookie itself, it's NOT a PHP session, it's a **browser** session. Close the browser, the cookie dies.

I've never tried this but it **should** work (and, you might be doing the same thing modifying session.cookie_lifetime.) Immediately after setting a new session, set a PHPSESSID cookie with a valid future expiration date, effectively overwriting or updating the PHPSESSID cookie. You'll have to make sure you grab the current session id and rewrite it's value as the value of the cookie. A cookie with a valid future expiration date is a persistent cookie and will not die when you close the browser. To see this, and see if it's working, browse to the place you set the cookie in FireFox then examine the cookies for this domain.

There are two downsides to this, the first being you'll have to pair session_start() and your cookie mod (everywhere you do session_start(), modify the PHPSESSID cookie immediately afterward.) Shouldn't be a big task if you have all that in one place.

The second is although you can force the cookie to "live" beyond the PHP sessions, the server PHP session will still die at around 25 minutes from the last activity. But this should get you around the closed browser issue.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved