3

I am trying to implement a login system with a 'remember me' feature . This is my my login page: http://pastebin.com/q6iK0Mgy . In this I am trying to extend the session cookie(PHPSESSIONID) expiration using session_set_cookie_params() . But its not working.

Relevant portion from the code: In this the inner if() loop is being executed , but session_set_cookie_params('3600') is having no effect. I am calling session_name() , as it is supposed to be a requirement for session_set_cookie_params() (according to one of the comments on php manual)

if ( isset($_POST["submit"]) ) 
 {
     session_name() ;
     echo "calling before checked " ;
     if ( $_POST["remember"] == "on") 
    {
       // extend expiration date of cookie
       session_set_cookie_params('3600');
       echo "<br/>calling after sessions_set_cookie_params" ;
    }
 } 
 require_once("includes/session.php"); //session start ?>

I hope I was able to explain what I want to do. Basically what I a trying to do is extend the session_cookie's expiration. is my way of doing completely wrong? is there another way to achieve the same ?

thanks

gyaani_guy
  • 3,191
  • 8
  • 43
  • 51
  • Why don't you use set_cookie('name','value',3600)? – Eamorr Dec 31 '10 at 13:25
  • I believe that I need to be using sessions to implement a login system and thus need to extend the session cookie. am I wrong ? – gyaani_guy Dec 31 '10 at 13:31
  • 1
    Have you only tested this on your dev computer? Because a real gotcha is that setting session cookies on 'localhost' does not work, I think due to some security property of the HTTP protocol. See for example this example http://blog.perplexedlabs.com/2008/12/21/php-sessions-on-localhost/ where the domain is set to '.yourdomain' if it is not localhost. If it's localhost, the domain is set to '' (empty string) and then it works. I don't know if it's the solution for your problem, but it's something worth testing if you are testing on localhost. – Johan Oct 02 '11 at 16:10
  • @Johan Awesome :-) You should add an expansion of your comment as an answer. Cheers. – Fred Gandt Jan 25 '13 at 04:08
  • Maybe. I just have to understand it again! ;) It was over a year ago I wrote that and I kind of forgotten what this was all about. – Johan Jan 31 '13 at 22:26
  • Here, have an answer, 3 years later! – Noishe Dec 27 '13 at 13:30

2 Answers2

8

Never too old for an answer right?

So, PHP is dumb. As in, it doesn't do what you think would make sense.

session_set_cookie_param will not do anything until the exact moment that you call session_start. So if you set cookie params after calling session start, too late. If you set the cookie params but then don't call session_start, nothing happens.

session_start is also a funny beast. It only reads cookie data the first time it is called -well that is unless.... you force it to write, or there is no cookie to begin with. So if there is no cookie, it writes the cookie data and the client saves your session. yay! But when the cookie exists already, how to we force it to write, and therefore update our new expiry date??

So, we have this odd effect of ignoring all of your session_set_cookie_param calls if a cookie already exists on the client. Even better, if you explicitly call setcookie(session_name(),blah blah blah), php will STILL not emit the cookie.

So, let's force php to emit a cookie.

option 1

This works by calling session_id with the only value that won't clobber your existing session. Documentation at http://php.net/session_id states that

Note: When using session cookies, specifying an id for session_id() will always send a new cookie when session_start() is called, regardless if the current session id is identical to the one being set.

session_id($_COOKIE[session_name()]);

So anyways it's 6 in the morning and I haven't slept yet and you probably figured this out months if not years ago, but what the hell, maybe i'll save someone else the 2 or 3 hours of my life i'll never get back. ha ha.

Noishe
  • 1,411
  • 11
  • 14
  • 2
    Well it's over a year later, and your snippet of code helped me out! It did exactly what I needed it to: extend the cookie expiration time on every page load. I added it just before ```session_start();```. Thanks... from the FUTURE! – JoLoCo Mar 24 '15 at 14:53
3

From the documentation:

You need to call session_set_cookie_params() for every request and before session_start() is called.

Also check http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime

powtac
  • 40,542
  • 28
  • 115
  • 170