session duration vs remember me duration in php

Posted on 2015-01-08
Last Modified: 2015-01-24

I am currently using sessions to deal with logins on my site. I took the code from a component on github

   // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);

    // Sets the session name to the one set above.

    session_start();            // Start the PHP session
    session_regenerate_id();    // regenerated the session, delete the old one.

I believe the default lifetime is 0 means the session lasts until the browser is shut. This code all works fine

However if i now need a remember me feature. If i make a remember me cookie that lasts, say, 3  months, do i have to change the code above so the remember me and session are in sync somehow. I would have thought it was ok for session information to be lost when the user closes the browser even with a remember me set to yes.

In the past i have never had to do this but im not a php programmer so im just checking it is ok. I used to program in .net so all this stuff happens behind the scenes really. Authentication there was handled by a cookie where the cookie lifetime dictated whether to remember the user.

Personally i prefer not passing all that data to the user in an authentcation cookie. However ive never had a remember me feature separate from the authentication cookie.

I hope its ok to keep it keep it how it is

Also, just a quick one. I'm also used to sliding expiration time on sessions. Do you have sliding expiration on remember me? I think it would be clearer not to personally

Many thanks experts
Question by:andieje
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40538521
I would never make the 'remember me' cookie part of the session cookie.
sliding expiration time on sessions
In PHP, the lowest current expiration time defines the expiration time for all sessions.  From
If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data.

Author Comment

ID: 40538980

I think i have misworded my question

The remember cookie is totally separate from the login details which are stored in session variables and there is also of course the session cookie

the default lifetime of the session cookie is 0 so data is lost when the browser closes

but what about expiry of the rememeber me cookie (a separate cookie). Its expiry is say  months in the future

so the session data will be lost when the browswer window is closed but the remember me cookie is still there

I'm not a php programmer so i was just checking that that is ok and i dont have to keep the 2 expiry dates in sync or do something else weird and wonderful ive never heard of

LVL 83

Accepted Solution

Dave Baldwin earned 250 total points
ID: 40539002
No, the two cookies are unrelated to each other.  Each will have it's own expiration date that is based on the purpose of the cookie.  A 'remember me' cookie would have a longer expiration.  How long depends on what you want with it.
LVL 110

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 40542968
There's a lot to understand here, and Dave has given you good advice.  Technically speaking you could say the two cookies are "sort of" related, inasmuch as they both identify a client; they just identify the client by different means, for different purposes.  The session says "is logged in now" and the other cookie says, "can be logged in now."

If you want the background and a bit more in-depth understanding, these articles will help.

Understanding Client/Server Stateless Protocols:

The Application of the Protocols to the Design of the PHP Session:

The Application of the PHP Session to the General Question of "Login" and "Remember"

One last note... Always re-authenticate before changing the data model.  By way of explanation, consider the behavior of the ATM machine.  It takes your card and PIN (two factor authentication) then allows a transaction. When you want another transaction, it asks for your PIN again.  This design prevents the unfortunate situation that would arise if you made a withdrawal, walked away, and the person in line behind you also made a withdrawal - from your account.  So even though your design can use a remember-me cookie (very useful for shopping carts, etc) please be sure your application knows who your client is before you ship products, divulge sensitive data, etc.  The usual approach is to ask for the password again before each sensitive transaction.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Build an array called $myWeek which will hold the array elements Today, Yesterday and then builds up the rest of the week by the name of the day going back 1 week.   (CODE) (CODE) Then you just need to pass your date to the function. If i…
These days socially coordinated efforts have turned into a critical requirement for enterprises.
The viewer will learn how to dynamically set the form action using jQuery.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question