session duration vs remember me duration in php

Posted on 2015-01-08
Last Modified: 2015-01-24

I am currently using sessions to deal with logins on my site. I took the code from a component on github

   // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);

    // Sets the session name to the one set above.

    session_start();            // Start the PHP session
    session_regenerate_id();    // regenerated the session, delete the old one.

I believe the default lifetime is 0 means the session lasts until the browser is shut. This code all works fine

However if i now need a remember me feature. If i make a remember me cookie that lasts, say, 3  months, do i have to change the code above so the remember me and session are in sync somehow. I would have thought it was ok for session information to be lost when the user closes the browser even with a remember me set to yes.

In the past i have never had to do this but im not a php programmer so im just checking it is ok. I used to program in .net so all this stuff happens behind the scenes really. Authentication there was handled by a cookie where the cookie lifetime dictated whether to remember the user.

Personally i prefer not passing all that data to the user in an authentcation cookie. However ive never had a remember me feature separate from the authentication cookie.

I hope its ok to keep it keep it how it is

Also, just a quick one. I'm also used to sliding expiration time on sessions. Do you have sliding expiration on remember me? I think it would be clearer not to personally

Many thanks experts
Question by:andieje
  • 2
LVL 83

Expert Comment

by:Dave Baldwin
ID: 40538521
I would never make the 'remember me' cookie part of the session cookie.
sliding expiration time on sessions
In PHP, the lowest current expiration time defines the expiration time for all sessions.  From
If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data.

Author Comment

ID: 40538980

I think i have misworded my question

The remember cookie is totally separate from the login details which are stored in session variables and there is also of course the session cookie

the default lifetime of the session cookie is 0 so data is lost when the browser closes

but what about expiry of the rememeber me cookie (a separate cookie). Its expiry is say  months in the future

so the session data will be lost when the browswer window is closed but the remember me cookie is still there

I'm not a php programmer so i was just checking that that is ok and i dont have to keep the 2 expiry dates in sync or do something else weird and wonderful ive never heard of

LVL 83

Accepted Solution

Dave Baldwin earned 250 total points
ID: 40539002
No, the two cookies are unrelated to each other.  Each will have it's own expiration date that is based on the purpose of the cookie.  A 'remember me' cookie would have a longer expiration.  How long depends on what you want with it.
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 40542968
There's a lot to understand here, and Dave has given you good advice.  Technically speaking you could say the two cookies are "sort of" related, inasmuch as they both identify a client; they just identify the client by different means, for different purposes.  The session says "is logged in now" and the other cookie says, "can be logged in now."

If you want the background and a bit more in-depth understanding, these articles will help.

Understanding Client/Server Stateless Protocols:

The Application of the Protocols to the Design of the PHP Session:

The Application of the PHP Session to the General Question of "Login" and "Remember"

One last note... Always re-authenticate before changing the data model.  By way of explanation, consider the behavior of the ATM machine.  It takes your card and PIN (two factor authentication) then allows a transaction. When you want another transaction, it asks for your PIN again.  This design prevents the unfortunate situation that would arise if you made a withdrawal, walked away, and the person in line behind you also made a withdrawal - from your account.  So even though your design can use a remember-me cookie (very useful for shopping carts, etc) please be sure your application knows who your client is before you ship products, divulge sensitive data, etc.  The usual approach is to ask for the password again before each sensitive transaction.

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
Deprecated and Headed for the Dustbin By now, you have probably heard that some PHP features, while convenient, can also cause PHP security problems.  This article discusses one of those, called register_globals.  It is a thing you do not want.  …
The viewer will learn how to dynamically set the form action using jQuery.
The viewer will learn how to create and use a small PHP class to apply a watermark to an image. This video shows the viewer the setup for the PHP watermark as well as important coding language. Continue to Part 2 to learn the core code used in creat…

939 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

5 Experts available now in Live!

Get 1:1 Help Now