0

This is a standard situation. Suppose a user log in to a website and closes the brwoser. He again visits the same website. I want the website to identify the user without asking him to login again.

I came cross this post here and understanding the best ways of implementation.

After reading many similar threads here, I know one best way of implementing this is to set a hash and store in a cookie so that I can check for this hash when the user visits next time and identify the user. Whether this approach has security issues like if the cookie is transferred to other system, it can also get logged in session?

But, why can't we just implement it using session.cookie_lifetime and session.gc_maxlifetime variables, say with large values so that session never expires? Does this approach have issues such as potentially large data may come to the server?

What is the preferred way of implementation among these two approaches?

Community
  • 1
  • 1
Kiran
  • 896
  • 1
  • 6
  • 25
  • sessions should always be destroyed when a user closes their browser, or the timeout is reached (which should be a reasonable time frame like 30 minutes). The best way as you stated would be to use a cookie with a hash in it that you can use to identify the user and rebuild their session. The caveat with this is that you need to re-authenticate a user for any sensitive action on your site. – cmorrissey Mar 09 '17 at 19:07
  • @cmorrissey, thanks for explaining. but, why to delete session when user closes browser? (in php, by default is 24 minutes i can see) ? is it because of memory issues ? – Kiran Mar 09 '17 at 19:09

0 Answers0