8

On accessing session data on the server side, its modified_time gets set, therefore extending its expiration time into the future.

However, this does not happen for PHPSESSID cookie. While session data expiration on the server side is extended, the cookie expiration is not. If the cookie expires, the user will lose his session - he will have no session ID to give when sending a request.

Is there any way to tell Symfony\Component\HttpFoundation\Session\Session to extend the cookie expiration date?

  • Can this be done for the same session ID? Or will we have to regenerate it (seems inefficient to do for many users X many requests)?
  • Should I set it myself manually (disregarding the OOP principles)

I've found $request->getSession()->getMetadataBag() and tried setting stampNew(), but this does not seem to interact with the PHPSESSID cookie.

gskema
  • 3,141
  • 2
  • 20
  • 39
  • I thought the PHPSESSID cookie was set as a session cookie meaning that the browser would clean it up when it was closing. Never heard of it being cleaned up before the browser session was done. – apokryfos Mar 03 '17 at 15:11
  • I don't need to delete it, I need to extend its expiration date. It won't be cleared on closing the browser - the cookie will live for much longer (kind of like REMEMBERME, I'm guessing) – gskema Mar 03 '17 at 15:14
  • What I'm saying is (based on [the manual](http://php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime) the default duration of the session is "as long as the browser is open"). Now if a browser does not do a cleanup of session cookies and keeps them a bit longer (which is often the case) is not based on default PHP configuration. At any rate a PHP session is not meant to persist past a browser session, perhaps you could use a different session manager and your own custom sessionid cookie to persist the session for longer. – apokryfos Mar 03 '17 at 15:18

1 Answers1

1

You can change in the config.yml files under the session key, as example:

# session configuration
session:
    cookie_lifetime:    3600

From the doc:

cookie_lifetime

type: integer default: null

This determines the lifetime of the session - in seconds. The default value - null - means that the session.cookie_lifetime value from php.ini will be used. Setting this value to 0 means the cookie is valid for the length of the browser session.

More info in the doc here

Matteo
  • 37,680
  • 11
  • 100
  • 115
  • 11
    I'm aware of this setting, what I need to know is how to "bump" the cookie expiration time on every page visit, because the expiration time of the session data on the server is "bumped" on every request. Also long as keep visiting the site, your session should be alive for the defined lifetime, even after you close the browser (and then come back on). It should only die if you haven't visited the site for the `lifetime` seconds. – gskema Mar 03 '17 at 15:23