0

I'm trying to implement a system to keep an user logged in for a while. I can do that by using cookies and storing it into database and then identifying him.

But recently I heard a session can be alive even when user closes his browser and opens a new window. I mean can a session still be available after closing/opening the browser again (or even multiple time)?

How much time (maximum) can I use $_SESSION["LoginValidation"] in following script? 

<?php
session_start();
$_SESSION["LoginValidation"] = ture;

Currently that session will be available until closing the browser.

stack
  • 10,280
  • 19
  • 65
  • 117
  • no way to answer. session lifetime is configurable per-php. default is to make it for browser session only, but you can set any expiry you want. but even if the session file still exists on your server, the session COOKIE in the client's browser may vanish long beforehand. e.g. you'll have an orphaned session file. – Marc B Jun 27 '16 at 16:09
  • Possible duplicate of [Is possible to keep session even after the browser is closed?](http://stackoverflow.com/questions/3684620/is-possible-to-keep-session-even-after-the-browser-is-closed) – Chris Jun 27 '16 at 16:17
  • @MarcB *"but you can set any expiry you want"* ..! So I can keep a session alive **on the server** even when user close the browser. Right? – stack Jun 27 '16 at 17:01
  • yes. the cookie can expire at a different time than the session file itself. there's TWO expirys. 'client-side delete' (erase the cookie, which loses the sessioN), or server-side delete (delete the session file - client still has cookie, but refers to a non-exist session file now) – Marc B Jun 27 '16 at 18:21

2 Answers2

2

Approach 1) session.cookie-lifetime : This is the lifetime of the cookie, which by default is 0, which means the cookie is destroyed when the browser is closed. You can set a longer lifetime by increasing this variable. It is relative to the server time, so you need to account for differences in the time in your clients' machine and your server's. There's also session.gc-maxlifetime, which is the time after which the session data is seen as garbage in the storage and is destroyed.

While you can set these settings both to relatively high values and have it working, I would recommend against doing so, as this will leave a lot of unnecessary session data hanging around in your session storage, due to the GC not collecting actual dead session

Or another approach is for session to make alive even after closing of browser save session in db and get its id , and set that id in user cookie via 

setcookie("name","value",time()+$int);

so you can fetch that value from $_COOKIE["name"]; use it to get session variables from data base

Lucky Sharma
  • 173
  • 6
2

In order to make the session persist after closing the browser you need to set an expiry time for the session cookie. A cookie without an expiry time is deleted when the browser is closed, and is normally referred to as a session cookie (which is not the same thing as a PHP session - just related).

(side note: if your browser is configured to "save open tabs" at exit, then the session cookies may be saved by the browser even though they should be deleted)

So you could just set session.cookie_lifetime to a large value. But that doesn't stop the session data stored on your server from being deleted - to keep the data for longer you need to up the value for session.gc_maxlifetime.

BUT THIS IS THE WRONG WAY TO FIX THE PROBLEM

There are security and capacity implications to implementing such persistent sessions - you should certainly NEVER implement this as default behaviour - only where the user has explicitly given their consent.

Using a "Remember me" cookie as a sort of lightweight session system is the best practice solution. Give it a random value (suggest you use a reasonably reliable source of random numbers, e.g. base64_encode(openssl_random_pseudo_bytes(64)) and a name which does not conflict with other cookies, and store it along with the data you really want to persist across the actual sessions (e.g. authenticaticated username).

symcbean
  • 47,736
  • 6
  • 59
  • 94
  • More specific discussion here: http://stackoverflow.com/questions/244882/what-is-the-best-way-to-implement-remember-me-for-a-website – symcbean Jun 27 '16 at 16:21
  • Thank you .. upvote. so I cannot store any session on the server after closing the browser, right? – stack Jun 27 '16 at 16:59
  • There are a lot of things which can go wrong if you do. Storing the minimum amount of information when you have an explicit and informed mandate from the user in what is effectively a parallel session solves most of them. – symcbean Jun 27 '16 at 23:12