-2

How to make a session last for 4 hours even if the page is not accessed? I tried using ini_set('session.gc_maxlifetime',14400); and ini_set('session.cookie_lifetime', 14400); like this: 

ini_set('session.cookie_lifetime',  14400);
session_start();

but both won't work. I tried reading PHP SESSION but there's just a lot of information to take and I've tried several options already but to no good.

Edit: Now I've tried:

$hours = 4; //How long sessions last
$sessionCookieExpireTime=$hours*60*60;

// php.ini setting required for session timeout.
session_save_path('http://www.samplesite.com/');
ini_set('session.gc_maxlifetime', $sessionCookieExpireTime);
ini_set('session.gc_probability', 1);
ini_set('session.gc_divisor', 1);

session_set_cookie_params($sessionCookieExpireTime); /*Set the session parameters and start session*/
session_start();

then after validation:

setcookie(session_name(), $_COOKIE[session_name()], time() + 14400, "/");

It now shows that it will expire after 4 hours if I check the cookie data on my browser (not "When the browsing session ends") but if I leave the page inactive and get back to it after like an hour, it's not working as it logs me out. What is going on?

halfer
  • 19,824
  • 17
  • 99
  • 186
Leah
  • 225
  • 2
  • 10
  • 24
  • 1
    4 Hours? So you want to say the intruder, that YES, I've kept the gates wide open for you, feel free to mess my system – Mr. Alien Sep 02 '13 at 08:12
  • 1
    http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes – Aniket Kulkarni Sep 02 '13 at 08:13
  • Use a different session handler = database. In the _gc (garbage collector) set max session time to whatever you need. – djot Sep 02 '13 at 08:21
  • This is what the client wants and facebook's session can last this long (or longer) right? @Mr.Alien – Leah Sep 02 '13 at 08:38
  • @SandaraKwon I don't like facebook so I don't know, and educate your client and tell him the pros and cons, and am sure he will agree – Mr. Alien Sep 02 '13 at 08:39
  • or perhaps this is just ok for you ... http://stackoverflow.com/questions/16265118/create-lasting-php-login-cookie-sessions?rq=1 – djot Sep 02 '13 at 08:41
  • @Mr.Alien How much is different 4 hours from the default of 30 minutes? If you build unsecure systems, even 1 minute is too long. – Marek Sep 02 '13 at 08:55
  • @Marek 30 mins is more secure than 4 hours imo – Mr. Alien Sep 02 '13 at 09:02
  • ahm, however long he wants it.. does somebody know how this should be done.. i edited my question.. – Leah Sep 04 '13 at 02:31

1 Answers1

0

Where are your session files stored? If it's shared with other applications, those other applications' session lifetime settings also apply to you. Set session.save_path to directory which only your application will use.

I would keep session.cookie_lifetime to default: until the browser is closed.

Marek
  • 7,337
  • 1
  • 22
  • 33
  • I edited the question and set the session_save_path as you've instructed but it's still not working. – Leah Sep 03 '13 at 21:35
  • Remember that you have to set the same session.gc_* settings each time before session_start. – Marek Sep 04 '13 at 07:31
  • Right . I did that but it's not working . Supposedly the default behavior of a session is that it will end only when the browser is closed right? How come it's unset after a few minutes without closing the browser? – Leah Sep 19 '13 at 08:07