4

For the header of every page of my login-ed section, I added the following codes to maintain the session:

session_set_cookie_params(1200, '/mysystem');
session_start();

My intention is, I set the session lifetime to 1200 seconds, with path /mysystem via the function session_set_cookie_params(). The reason using this function is to separate the session cookie with other PHP scripts in same domain, e.g. http://www.example.com/another_system/

The problem is, the session expires when 1200 seconds is reached, no matter there are activities ( such as load another page under /mysystem , or refresh the page .

Expected behavior: The session "countdown" resets when page activity is made when active session is valid.

What did I miss ?

Raptor
  • 53,206
  • 45
  • 230
  • 366
  • Do you want to "Extend session timeout automatically" ? Maybe this will help http://stackoverflow.com/questions/514155/extending-session-timeout-in-php-via-the-htaccess – Justin T. Mar 22 '13 at 10:24
  • no, as it does not consider isolating session variable to specific path only, which is the intention of using the function `session_set_cookie_param()` . – Raptor Mar 25 '13 at 02:20

2 Answers2

5

This is how it works. The cookie is set once, after that it starts counting down. To solve this, you have to reset the cookie with a new expiration date, every time the user interacts with the backend.

Rijk
  • 11,032
  • 3
  • 30
  • 45
  • how to reset the timer? I thought the `session_set_cookie_param` already reset the timer. Should I set to 0 instead of 1200? Will the existing session variable lost ? – Raptor Mar 22 '13 at 10:26
  • 2
    You just have to make sure a new cookie is stored on the client side. One way I think is by calling `session_regenerate_id()`. – Rijk Mar 22 '13 at 10:29
  • I found out that set the value to `0` will achieve the goal. – Raptor Mar 22 '13 at 10:46
  • 1
    That will keep the cookie alive as long as the browser window is open. This is actually a different solution, but great if it works for you. – Rijk Mar 22 '13 at 11:00
  • Isn't it that the session lifetime will still be bound by `php.ini`'s settings? By default, session lifetime is set to 20 minutes. – Raptor Mar 22 '13 at 11:02
  • 1
    The session lifetime and the cookie lifetime are two different things. When the cookie expires, the user will lose the link with his session on the backend, thus logging out. However, when the user leaves the tab open for an hour, the cookie will still be there, but the session on the backend will have expired (depending on the `php.ini` settings), so the session ID stored in the cookie won't match a session on the backend anymore. In which case, the user is logged out as well. – Rijk Mar 22 '13 at 11:08
2

you can try time() function to update the cookie expire time..

try to add time() function in every page , get the current page loaded time and make it expire

by $expireTime = time()+1200;

      <?php

          session_set_cookie_params($expireTime, '/mysystem');
          session_start()
       ?>
venkatesh
  • 164
  • 1
  • 13
  • Not working, as the value of `$expireTime` will keep increasing – Raptor Mar 22 '13 at 10:31
  • @ShivanRaptor Yes, whenever the page loaded/reloaded the time will updated and expire time will also increase... – venkatesh Mar 22 '13 at 10:33
  • 1
    Scenario: A user refreshes the page 200 times in a valid session, the `$expireTime` will become 1363948541+1200, which won't expire in the user's lifetime (i mean the human life). – Raptor Mar 22 '13 at 10:36
  • @ShivanRaptor check this it may useful to youhttp://stackoverflow.com/questions/9124560/how-to-expire-php-session-if-user-is-inactive-for-15-mins – venkatesh Mar 22 '13 at 10:36
  • thanks, but not useful, as it does not consider isolating session variable to specific path only, which is the intention of using the function `session_set_cookie_param()`. – Raptor Mar 22 '13 at 10:39