2

I'm creating a login/logout system with PHP, where clients are able decide to use 'remember me' button or not. and in my login.php file, I check to see if they want to be remembered like this:

if(isset($_POST["remember_me"])){
    $_SESSION["remember_me"] = true;
}

hence, when i want to set gc_maxlifetime, I need to know that the client should be remembered or not. But as we know, gc_maxlifetime should be set before the session_start() and I can't access the

$_SESSION["remember_me"]

variable. What should I do? Is there any other way to tell server since when a certain session should be subject of garbage collector?

thanks in advance.

Makan
  • 2,508
  • 4
  • 24
  • 39

1 Answers1

1

I dont think its a good idea to use the sessions for persistent login. For one because having a different gc_maxlifetime for different session wont work. As the manual states

If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path.

So unless you also want to change the session storage location, dont go there.

Besides this issue, you are not only keeping his login information alive on the server, but his entire session. If your application stores more data in sessions and you dont clean it up properly, your server ends up with big long lasting sessions that may never be used again. Although storing large amounts of data in sessions is wrong anyway, but that is another discussion.

For creating a remember me function I would check how-to-securely-implement-a-remember-me-feature on stackexchange for some pointers.

Community
  • 1
  • 1
Hugo Delsing
  • 13,803
  • 5
  • 45
  • 72
  • I already have implemented a system that closes sessions on every user-access: $_SESSION["last_activity_time"] = time(); and I check this 'time' for every user on every page call. the max idle time for users is one hour. and for those who clicked remember me, max idle time is two weeks. if I set all the gc_maxlifetimes to the 'two weeks' amount, does it reduce performance significantly? (because you know, it does not directly affect the functionality.) – Makan Jun 05 '13 at 13:47
  • 1
    Performance wise it wont be a very big problem in most cases, unless you store large amounts of data in sessions. Security wise it could be an issue as you will create lots of long lasting valid sessions. But then again, the same goes for remember me cookies. Check http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes/1270960#1270960 on how to make a long lasting session. As just changing the lifetime isnt enough. But using sessions for persistent login just feels wrong, even if you get it to work. – Hugo Delsing Jun 05 '13 at 14:04