5

Syntax to set session cookies

session_set_cookie_params($lifetime, $path, $domain, $secure, true);

Q1. Is setting session cookie like below secure or is there more to be done?

session_set_cookie_params('3600', 'www.example.com', isset($_SERVER["HTTPS"]), true);

Q2. What should be the ideal lifetime for setting a session (from security view point) cookie?

Q3. If ever I decide to shift my web admin folder to sub domain then will the above code require change?.

Daksh B
  • 269
  • 1
  • 8
  • 45

2 Answers2

6

A1: Your above code looks ideal, as long as it follows the PHP documentation page, who are we to say otherwise;

A2: This all just depends on exactly what this is being used for. In banking, some like to kill the session within minutes of inactivity. In gaming or social networking, these settings tend to be more relaxed and lenient as to give the user more leeway;

A3: Yes, you would have to change the cookie to reflect the new subdomain admin change. If you wanted to set a global cookie (that works on all subdomains):

session_set_cookie_params('3600', 'example.com', (!empty($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'off')? true : false, true);

Hope this helps!

Darren
  • 13,050
  • 4
  • 41
  • 79
Derek Pollard
  • 6,953
  • 6
  • 39
  • 59
  • thanks mate. Q2. It will be used for an ecommerce application. – Daksh B Jan 04 '16 at 17:02
  • If you aren't saving any crucial information (credit card numbers, DOB, SSN etc.,) I'd suggest allow the user to select a "Remember Me" option that will die in maybe 3 days? Otherwise, kill the session once they are no longer on the page. – Derek Pollard Jan 04 '16 at 17:04
  • Your A1 and A3 is what I hoped for but Q2. still needs a bit of research from me... – Daksh B Jan 04 '16 at 17:09
  • 1
    Careful with that `isset($_SERVER["HTTPS"])`; it can break IIS. Consider `isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] !== 'off' : false` instead. http://stackoverflow.com/a/7304205/2224584 – Scott Arciszewski Jan 04 '16 at 22:30
  • 1
    Thanks @ScottArciszewski, I don't tend to use IIS as often, but it's always good to keep all possibilities, when I write these answers, in mind. Updated my answer accordingly :-) – Derek Pollard Jan 04 '16 at 22:40
0
define('SESSION_EXPIRE',3600*6);

define('SESSION_EXPIRE_RELOAD',1800);

ini_set('session.gc-maxlifetime',SESSION_EXPIRE);

ini_set('session.name','prl');

ini_set('session.cookie_httponly',true);

ini_set('session.cookie_secure',false);

session_set_cookie_params(SESSION_EXPIRE);

session_start();

[How do I expire a PHP session after 30 minutes?

    sessionRegenerate(){
        if (!isset($_SESSION['SESSION_CREATED']))
        {
            $_SESSION['SESSION_CREATED'] = time();
        } 
        else if (( SESSION_EXPIRE -(time() - $_SESSION['SESSION_CREATED']) ) < SESSION_EXPIRE_RELOAD && ( SESSION_EXPIRE -(time() - $_SESSION['SESSION_CREATED']) ) > 0 ) 
        {
            session_regenerate_id(true);
            $_SESSION['SESSION_CREATED'] = time();
        }
    }
Danilo Santos
  • 392
  • 3
  • 11