Link to home
Create AccountLog in
Avatar of numberkruncher
numberkruncherFlag for United Kingdom of Great Britain and Northern Ireland

asked on

PHPSESSID cookie and "Remember Me"

I have implemented "Remember Me" functionality on my project. I have implemented custom session handling using session_set_save_handler, so I have access to all of those events if need be.

Do I need to renew the PHPSESSID cookie expiry time every time the session is opened?

If so, what is the best way to achieve this?
Avatar of numberkruncher
Flag of United Kingdom of Great Britain and Northern Ireland image


Okay, I might have solved this.

- I am forcing renewal of "php session cookie" AND "secret key cookie" each time "session_start" is called IF "Remember Me" is noted under $_SESSION['__remember_me'].

- When user logs in, status of "Remember Me" check box is stored within session variable to assist with previous point.

- If "Remember Me" is not checked, session cookie should expire when web browser is closed.

What do you guys think of the following?
// After "session_start()"

// Renew lifetime of cookie.
if (isset($_SESSION['__remember_me']) && isset($_COOKIE[$this->_cookie_secretkey])) {
    $expire = time() + REMEMBER_ME_LIFETIME;
    setcookie($this->_php_name, $this->_php_id, $expire, '/');
    setcookie($this->_cookie_secretkey, $_COOKIE[$this->_cookie_secretkey], $expire, '/');

// When logging in:


// Update cookie, and prepare random key for client security.
// Note: Renewing the random key improves security.
$expire = ($remember === true) ? time() + REMEMBER_ME_LIFETIME : 0;
$key = System::random_string(31);
setcookie($this->_cookie_secretkey, $key, $expire, '/');

// Adjust lifetime of session cookie.
if ($remember === true) {
    if (isset($_COOKIE[$this->_php_name]))
        setcookie($this->_php_name, $this->_php_id, $expire, '/');
    $_SESSION['__remember_me'] = true;
else {
    // Remove remember me status.


Open in new window

Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Thanks for the link, I am going to try and read through that in detail sometime today.
Hope it's helpful.  Please post back with any specific questions about it, ~Ray
Thanks Ray, that was an interesting read. I think that my implementation is along the right lines.

I  picked up on several bits which I think may improve what I have, like disabling the cookie from JavaScript access. I wasn't aware that you could do that.
Thanks for the points - it's a great question! ~Ray