22

Could anyone tell how to maintain a session (in PHP) so that the session contains are preserved and are accessible even after the browser is restarted.

In general a session expires with the closing of a browser, but I want the session NOT TO BE CLOSED so that the session data's can be accessed the next time the browser is used.

Octavian
  • 4,519
  • 8
  • 28
  • 39
  • That stops being session data and starts being more persistent data (in like a DB) surely? – Lloyd Sep 10 '10 at 12:36
  • How do you record session - with a cookie? You'll need to make that cookie persist beyond the browser session then - sorry I can't tell you what specificially you need to do for PHP. If you're using cookieless sessions by adding IDs to your URLs I'm not sure if you can do this unless you can force the user to return to the same URL. – Rup Sep 10 '10 at 12:37

7 Answers7

31

Use session_set_cookie_parameters() to give the session cookie a non-zero lifetime before starting the session, or set session.cookie_lifetime to non-zero.

Ignacio Vazquez-Abrams
  • 776,304
  • 153
  • 1,341
  • 1,358
10

It's oxymoron.
Session stands for "until browser is closed".
Session is something that expires.
If you don't want it to be expired, you're probably don't want a session at all.

You are probably messing session with cookie or database.

Your Common Sense
  • 156,878
  • 40
  • 214
  • 345
  • 12
    Sessions work with cookies, which are deleted when the browser is closed, _unless_ they have a specific life-time. – jwueller Sep 10 '10 at 12:45
  • @elusive 1. cookie is not the only thing responsible for the session lifetime. 2. I am talking of term "session", not specific PHP mechanism. but PHP session ideology of course follows this definition. You can disregard that behavior, but you will just spoil yourself. – Your Common Sense Sep 10 '10 at 12:50
  • 1
    Cookies are called *session cookies* if they expire when the browser session expires. And that is the case when the browser is closed. But such a session cookie does not need to contain a session ID. – Gumbo Sep 10 '10 at 14:10
  • 1
    The cookie should not be responsible for the session lifetime at all; it’s the server that maintains the session, not the client. – Gumbo Sep 10 '10 at 14:11
  • it's surprising that the user with such a big reputation is so unfamiliar with contemporary session implementations – 9ilsdx 9rvj 0lo Jan 10 '17 at 15:05
4

Session in php (and in most web technologies) work like this :

You store a session id in a cookie on the client computer.

When the client come to your site he send you the session id.

The server find the session datas in a file with the session id and load it.

So closing the browser has not effect on the session, but if the browser empty the cookie when you close it (I don't think any browser do such a thing).

If you wana be sure the user is always logged in, you can store it's user/password in his cookies but it's not really safe.

remi bourgarel
  • 9,231
  • 4
  • 40
  • 73
  • 1
    Or you can store a cryptographic token in the cookies instead. – Ignacio Vazquez-Abrams Sep 10 '10 at 12:43
  • Why it's not safe? It's absolutely safe if you use cookies safely and cleverly. – good_evening Sep 10 '10 at 12:44
  • 1
    @hey : it's not safe : I go on your computer, I go to the cookies directory and I read your login informations, and I'm 99% sure that you use these informations in some other websites. If it's a public computer it's even funnier. @ignacio : indeed you can create your own session system. – remi bourgarel Sep 10 '10 at 13:07
  • 6
    If you had physical access to my machine, Cookies would be the least of my worries. – Oliver O'Neill Sep 10 '10 at 13:09
  • I think so, I could check your bank account, or your pro email. And in a public computer anyone can see cookies from previous users. – remi bourgarel Sep 10 '10 at 15:13
  • 1
    well if you had access to my pc, then worse it to go to chrome settings, open the password panels and there it is all the passwords – Miguel Oct 15 '14 at 10:28
  • @Miguel not anymore, AFAIK you are required to enter the device password to view them now. – Script47 Apr 22 '18 at 15:41
4

The easiest and best i have found is that instead of just session_start we should input this on each page there is a session

$expire = 365*24*3600; // We choose a one year duration

ini_set('session.gc_maxlifetime', $expire);

session_start(); //We start the session 

setcookie(session_name(),session_id(),time()+$expire); 
//Set a session cookies to the one year duration
John Max
  • 432
  • 8
  • 23
0

You can do something like this: (see session_set_cookie_parameters() and session_name())

// long long time
$sessionTime = 365 * 24 * 60 * 60;
$sessionName = "my_session";
session_set_cookie_params($sessionTime);
session_name($sessionName);
session_start();

if (isset($_COOKIE[$sessionName])) {
    setcookie($sessionName, $_COOKIE[$sessionName], time() + $sessionTime, "/");
}

For $sessionTime, also refer to this question

Community
  • 1
  • 1
He Yifei 何一非
  • 2,592
  • 4
  • 38
  • 69
0

This work!

// long long time
$sessionTime = 365 * 24 * 60 * 60;
$sessionName = "PHPSNAME";
session_set_cookie_params($sessionTime);
session_name($sessionName);
session_start();
if (isset($_COOKIE[$sessionName])) {
    setcookie($sessionName, $_COOKIE[$sessionName], time() + $sessionTime, "/");
}
No Name
  • 1
  • 1
-1

This can be done if you use cookies instead of sessions.

Mischa
  • 42,876
  • 8
  • 99
  • 111
  • Well, what I meant was using setcookie instead of session_start – Mischa Sep 10 '10 at 12:45
  • with url params (or whatever place in the http request), but it's not the default behavior and I think that here we are looking at a normal case. But you're right indeed – remi bourgarel Sep 10 '10 at 13:05