1

I am building a feeds based application. Once a user logs in to the application, his PHPSESSID is used to publish to a REDIS channel and at the backend, a socket.io event listens and pulls the relevant feeds and pushes it back to the application.

The challenge that I am facing now is this. I login to the application, everything is perfect with feeds. Now if I close my browser without logging out and navigate to my site again. It redirects me to the homepage because of a cookie. However, the feeds don't appear. This is because the PHPSESSID gets renewed when I open my browser again.

How do I fix this problem? Is there a flaw in my architecture design or can I manipulate the destruction of PHPSESSID even after browser close?

Any help will be greatly appreciated.

Thanks

mnemosyn
  • 45,391
  • 6
  • 76
  • 82
Gaurav Mehta
  • 1,103
  • 4
  • 16
  • 27
  • I would use data other than the PHPSESSID, when used persistently over connections like that it *could* result in security issues – Sammaye Oct 08 '13 at 19:23

1 Answers1

1

Sessions only last as long as the browser is open. You would need to set a cookie if you would like the login to be persistent, but the session will still end when the browser is closed. Sessions are meant to be temporary. Cookies have nowhere near the security of sessions.

So to answer your question - a cookie lasts longer than a session. Cookies are not secure because they exist on the users computer and not on your server. Sessions will last as long as the browser is open. You can save session information in a cookie and then recover it later and use it to start a new session, but you should not save any sensitive information in a cookie because there is no way of guaranteeing it's integrity.

David
  • 3,285
  • 1
  • 37
  • 54
Charles D Pantoga
  • 4,307
  • 1
  • 15
  • 14