How to extend Session Cookie life through .htaccess file

Forum Moderators: coopster

Message Too Old, No Replies

How to extend Session Cookie life through .htaccess file

Conan421

5:12 pm on Oct 12, 2021 (gmt 0)

i have a site and i want to extend the session for a month

i wrote these lines in my .htaccess file :

php_value session.cookie_lifetime 2592000
php_value session.gc_maxlifetime 2592000

but still the session destroys after like an hour
i have tried a lot of things but didn’t come up with a result

not2easy

4:42 pm on Oct 13, 2021 (gmt 0)

Hi Conan421 and welcome to WebmasterWorld [webmasterworld.com]

Sorry, I am not much help for PHP but I do not believe you can use lines like that in .htaccess for extending cookie sessions, I am pretty sure that would need to be part of the cookie's content.

Your .htaccess file is read on file requests, not again after they have set a cookie. If your host uses php.ini you can change some options, but again, php is processed before loading resources.

As I said, I am not the person to tell you how, but in general terms it does not appear to be something your server settings can do. Especially today when browsers are compartmentalizing cookies.

I know there are others around here who may have far better answers, I'm hoping someone spots the new title.

NickMNS

5:29 pm on Oct 13, 2021 (gmt 0)

i have a site and i want to extend the session for a month

This is not a good idea. Should an attacker get hold of the session cookie they would have access for up to 30 days. It is preferable to renew the session after some short period. As such if an attacker got hold of the cookie their access would be limited to a maximum time of that short period. Thereafter the attacker would need to repeat the attack to steal the cookie again. Meanwhile, if the session auto renews the user would not notice any difference.

I strongly urge you to read the following "cheat sheet" regarding sessions. it is technical (not too much) but if you are considering making changes to your .htaccess file to override security settings than you should have the technical ability to read and understand the implications of the article.
[cheatsheetseries.owasp.org...]

See the section on "Automatic Session Expiration" for a better and more detailed explanation.

Conan421

7:15 pm on Oct 13, 2021 (gmt 0)

Thanks for the very useful advices and the link guys

my host doesn't use php.ini

lucy24

8:03 pm on Oct 13, 2021 (gmt 0)

i have a site and i want to extend the session for a month

That’s simply not what a session is, unless you’re running some kind of online gaming marathon. An ordinary cookie can be set to whatever length you like; a session cookie is supposed to expire when the user leaves.

Conan421

8:43 pm on Oct 13, 2021 (gmt 0)

i tried to set an ordinary cookie but it won't set up after posting a form

if($_SERVER["REQUEST_METHOD"] == "POST"){
$variable=$_POST['input1'];
$cookie_name = "user";
$cookie_value = $variable;
setcookie($cookie_name, $cookie_value, time() + (86400 * 30), "/");
}

can't figure out what's wrong

lucy24

12:10 am on Oct 14, 2021 (gmt 0)

You said .htaccess, meaning you’re on an Apache server. In that case, one easy way to set cookies is with the mod_rewrite [CO] flag. Name, value, sitename, duration in minutes.