5

A PHP web site uses cookies to store session id on the browser side. The goal is that the PHP session will be considered valid for a specific time after the most recent user interact with the site.

The PHP sessions have two distinct timeouts:

  • cookie expiration - when the browser forgets the cookie containing the session id
  • session expiration - when the server forgets the session data

PHP built-in logic sents the cookie only the first time the session_start() is called, i. e. the session id is generated. The cookie is not sent on further requests and so the cookie expiration time is never extended.

In contrast to that, the PHP session expiration is extended on each request.

As a consequence, if the user interacts with the site continuously, the PHP session expiration time is being extended but the cookie expiration time keeps its original value.

Example:

  • the PHP session and cookie life is set to 5 time points
  • a user interacts with the site at time points 1, 2 and 4

timepoint / PHP session expiration / cookie expiration

1 / 6 / 6

2 / 7 / 6

4 / 9 / 6

  • if the sure than interacts with the site at time point 7, the cookie is already expired so it will not be sent to the server. As such, the request will behave like the PHP session has expired even the PHP session is technically valid.

How to force PHP to update the cookie's expiration time on each (or almost each) request? What are the best practices?

I had not found anything useful on the web nor I find any feasible workarounds. For example, I found following suggestions:

  • set the cookie to life longer initially - this just postpone the magic disappear of the cookie and does not principally contribute to the overall goal (consider the session valid after the most recent user interaction).
  • regenerate the session id on each request which triggers sending a new cookie - this feels a little bit aggressive and might result in concurrency side effects (concurrent requests will probably not come from the browser serialised but in parallel)
  • managing the cookies manually - this requires to mimics the logic of PHP (and keep the custom implementation compatible with the built-in logic) just to make sure a new cookie with extended expiration is sent back on each request

Note: The session in this question means a session managed by PHP, not a browser. The cookie expiration should be independent on browser sessions. As such, the suggest Is possible to keep session even after the browser is closed? does not feel relevant at all.

Edit: The issue has been categorized as a PHP bug.

alik
  • 2,244
  • 3
  • 31
  • 44
  • Are you suggesting that the cookie expires before the sites session does? So that the user is actively using the site but gets logged out because of the cookie? – M. Eriksson Dec 06 '18 at 11:54
  • I think it would be better that you save last interaction time within the cookie, set cookie expiration time to 86400 a day, on each request read the cookie and get the last interaction time or set the last interaction time. – Ali Dec 06 '18 at 11:55
  • 1
    If you just want the cookie to live during the session, it should already do that. The default expiration of a session cookie is "at end of session". – M. Eriksson Dec 06 '18 at 11:59
  • @MagnusEriksson The 0 means that the cookie is valid till the end of the *browser* session, not till the end of the *PHP* session. – alik Dec 06 '18 at 12:20
  • I have added an example and mentioned more workarounds notes – alik Dec 06 '18 at 12:25
  • Aren't you looking to send updated time value with http://php.net/manual/en/function.setcookie.php ? When PHP sets the session cookie, you can read it and then update it. – DeDee Dec 06 '18 at 12:28
  • @alik — Since the browser session lasts until the user quits the browser and not any specific time. What's the problem? Are you trying to get the session to survive the user quitting the browser entirely? – Quentin Dec 06 '18 at 12:30
  • The browser session usually what people talk about when you talk about sessions in connection to web sites. What would be the use of an existing session in PHP if the browser session has ended (the user have closed the browser)? Then the users session cookie wouldn't even be in the game anymore. I'm finding this question very unclear. Can you give us some practical examples of the issue you're trying to solve? – M. Eriksson Dec 06 '18 at 12:31
  • @DeDee As the php does not send the cookie on following requests at all I have noting to alter. – alik Dec 06 '18 at 12:35
  • @Quentin Yes, I want the PHP session to survive to next browser session. – alik Dec 06 '18 at 12:36
  • That's a totally different question. It should be something like: _"How to keep a session cookie alive between browser sessions?"_. – M. Eriksson Dec 06 '18 at 12:43
  • Possible duplicate of [Is possible to keep session even after the browser is closed?](https://stackoverflow.com/questions/3684620/is-possible-to-keep-session-even-after-the-browser-is-closed) – M. Eriksson Dec 06 '18 at 12:44
  • @MagnusEriksson That's easy, you just set the cookie expiration and it will survive. If you omit the expiration, it will not survive the browser session. And yes, you are correct, "How to keep a session cookie alive between browser sessions?" is a different question than what am I asking for. – alik Dec 06 '18 at 12:46
  • @alik you can get the data from the PHP cookie that was placed in the browser. You can store it with your session on the server. You can then alter that cookie in the browser each time the site is loaded, or every day, whatever. PHP does not send the cookie automatically, that's why you need to do it with http://php.net/manual/en/function.setcookie.php – DeDee Dec 06 '18 at 13:21

0 Answers0