I've tried to find a way of setting the sessions to expire at midnight but had no joy.
What's not explicitly clarified here is that the reason the sessions die when you close the browser is that the PHPSESSID cookie
is what connects the browser with the PHP sessionid. It is indeed a session cookie - but in respect to the PHPSESSID cookie itself, it's NOT a PHP session, it's a **browser** session. Close the browser, the cookie dies.
I've never tried this but it **should** work (and, you might be doing the same thing modifying session.cookie_lifetime.) Immediately after setting a new session, set a PHPSESSID cookie with a valid future expiration date, effectively overwriting or updating the PHPSESSID cookie. You'll have to make sure you grab the current session id and rewrite it's value as the value of the cookie. A cookie with a valid future expiration date is a persistent cookie
and will not die when you close the browser. To see this, and see if it's working, browse to the place you set the cookie in FireFox then examine the cookies for this domain.
There are two downsides to this, the first being you'll have to pair session_start() and your cookie mod (everywhere you do session_start(), modify the PHPSESSID cookie immediately afterward.) Shouldn't be a big task if you have all that in one place.
The second is although you can force the cookie to "live" beyond the PHP sessions, the server PHP session will still die at around 25 minutes from the last activity. But this should get you around the closed browser issue.