Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

session duration vs remember me duration in php

Posted on 2015-01-08
4
Medium Priority
?
295 Views
Last Modified: 2015-01-24
Hi

I am currently using sessions to deal with logins on my site. I took the code from a component on github

   // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);

    // Sets the session name to the one set above.
    session_name($session_name);

    session_start();            // Start the PHP session
    session_regenerate_id();    // regenerated the session, delete the old one.
}

I believe the default lifetime is 0 means the session lasts until the browser is shut. This code all works fine

However if i now need a remember me feature. If i make a remember me cookie that lasts, say, 3  months, do i have to change the code above so the remember me and session are in sync somehow. I would have thought it was ok for session information to be lost when the user closes the browser even with a remember me set to yes.

In the past i have never had to do this but im not a php programmer so im just checking it is ok. I used to program in .net so all this stuff happens behind the scenes really. Authentication there was handled by a cookie where the cookie lifetime dictated whether to remember the user.

Personally i prefer not passing all that data to the user in an authentcation cookie. However ive never had a remember me feature separate from the authentication cookie.

I hope its ok to keep it keep it how it is

Also, just a quick one. I'm also used to sliding expiration time on sessions. Do you have sliding expiration on remember me? I think it would be clearer not to personally

Many thanks experts
0
Comment
Question by:andieje
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 40538521
I would never make the 'remember me' cookie part of the session cookie.
sliding expiration time on sessions
In PHP, the lowest current expiration time defines the expiration time for all sessions.  From http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
Note:
If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data.
0
 

Author Comment

by:andieje
ID: 40538980
Hi

I think i have misworded my question

The remember cookie is totally separate from the login details which are stored in session variables and there is also of course the session cookie

the default lifetime of the session cookie is 0 so data is lost when the browser closes

but what about expiry of the rememeber me cookie (a separate cookie). Its expiry is say  months in the future

so the session data will be lost when the browswer window is closed but the remember me cookie is still there

I'm not a php programmer so i was just checking that that is ok and i dont have to keep the 2 expiry dates in sync or do something else weird and wonderful ive never heard of

thanks
0
 
LVL 84

Accepted Solution

by:
Dave Baldwin earned 1000 total points
ID: 40539002
No, the two cookies are unrelated to each other.  Each will have it's own expiration date that is based on the purpose of the cookie.  A 'remember me' cookie would have a longer expiration.  How long depends on what you want with it.
0
 
LVL 111

Assisted Solution

by:Ray Paseur
Ray Paseur earned 1000 total points
ID: 40542968
There's a lot to understand here, and Dave has given you good advice.  Technically speaking you could say the two cookies are "sort of" related, inasmuch as they both identify a client; they just identify the client by different means, for different purposes.  The session says "is logged in now" and the other cookie says, "can be logged in now."

If you want the background and a bit more in-depth understanding, these articles will help.

Understanding Client/Server Stateless Protocols:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

The Application of the Protocols to the Design of the PHP Session:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html

The Application of the PHP Session to the General Question of "Login" and "Remember"
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

One last note... Always re-authenticate before changing the data model.  By way of explanation, consider the behavior of the ATM machine.  It takes your card and PIN (two factor authentication) then allows a transaction. When you want another transaction, it asks for your PIN again.  This design prevents the unfortunate situation that would arise if you made a withdrawal, walked away, and the person in line behind you also made a withdrawal - from your account.  So even though your design can use a remember-me cookie (very useful for shopping carts, etc) please be sure your application knows who your client is before you ship products, divulge sensitive data, etc.  The usual approach is to ask for the password again before each sensitive transaction.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Explain concepts important to validation of email addresses with regular expressions. Applies to most languages/tools that uses regular expressions. Consider email address RFCs: Look at HTML5 form input element (with type=email) regex pattern: T…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question