0

I am not using browser cookies as I know they can be manipulated, I am using session cookies but the problem for me is that the user logs in and is logged out automatically if he/she restarts the computer or browser.

What is the best way to prevent this or have something like "keep me signed in [√]"? I have seen most websites with this feature.

Thanks a lot in advance!

  • possible duplicate of [(PHP) how to destroy or unset session when user close the browser without clicking on logout?](http://stackoverflow.com/questions/2839988/php-how-to-destroy-or-unset-session-when-user-close-the-browser-without-clicki) – iblue Jul 29 '12 at 21:49
  • the complete opposite, I want to preserve the session after that @iblue. –  Jul 29 '12 at 21:51

3 Answers3

2

"I am not using browser cookies" and "I am using session cookies"

so you are using cookies. Try to call 

session_set_cookie_params(time()+3600*24*365*5);

before session_start()

iblue
  • 29,609
  • 19
  • 89
  • 128
mrok
  • 2,680
  • 3
  • 27
  • 46
  • is this only on the login page or on every page? –  Jul 29 '12 at 21:56
  • I think you need to do if on every page (or just include one file with session stuff to every page) - you never know which page is visited first by your user and when session is started. You can also: 1. Setup lifetime in php.ini - then you do not need to add anything to php code. 2 force/update session cookie on your login page by calling setcookie(session_name(),session_id(),time()+$lifetime); – mrok Jul 29 '12 at 22:04
  • how would that work, can you please pastebin the code? Im kinsa new so this isnt too clear for me –  Jul 29 '12 at 22:44
  • @muq -I quess, you do not have one 'entry point', but for every page you have separate php file. So here you have the example: http://pastebin.com/WFnvvMVV – mrok Jul 29 '12 at 23:06
0

To avoid confusion, the session id is stored in a cookie. You can simply extend the lifetime of the session cookie. Other solutions are .. tricky.

Halcyon
  • 57,230
  • 10
  • 89
  • 128
  • how would I extend the lifetime of a session cookie? I mean what causes them to expire? –  Jul 29 '12 at 21:51
  • The cookie lifetime :P In PHP the session cookie is `PHPSESSID`, it is automatically set if you call `session_start`. You can override it with the `setcookie` function, it has an 'expire' parameter. – Halcyon Jul 29 '12 at 21:53
0

You'd have to set a expiration time to your cookie. Normally, Session cookies are deleted when the user closes the browser. Cookies with an expiration time are only deleted when the cookie expires, the user clears the browser cache/uninstalls the browser/etc.

In PHP for example, you could use the setcookie('somename', 'somevalue', timeoutvalue) method for more permanent cookies and retrieve them using $_COOKIE['somename'], as opposed to $_SESSION['somename'] = 'somevalue'. If you want some more security, you could save the login status to the database as well, and compare it to the cookie each time the user goes to your website. That way you prevent someone from tampering with the cookie to fake their identity.

DandyDev
  • 319
  • 3
  • 13
  • aren't these cookies manipulable by the end user? How would be the best way to put it in the db? –  Jul 29 '12 at 22:00
  • I'd answer it, if it wasn't explained really well already: http://stackoverflow.com/questions/1354999/keep-me-logged-in-the-best-approach :) In short: save not only a cookie containing the user's username/email/id/whatever, also save a cookie with an unspoofable hash. Save that in hash in the database as well, and compare those two each time the user comes to your site. – DandyDev Jul 29 '12 at 22:03
  • @DandyDev - AFAIK there is some misunderstanding: session cookie is just normal cookie with no expiration date (browser remove it when close true) - it is not connected with PHP session. Maybe sometimes php session id is kept in session cookie - but it is not 'a must' – mrok Jul 29 '12 at 22:14