Solved

session duration vs remember me duration in php

Posted on 2015-01-08
4
223 Views
Last Modified: 2015-01-24
Hi

I am currently using sessions to deal with logins on my site. I took the code from a component on github

   // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);

    // Sets the session name to the one set above.
    session_name($session_name);

    session_start();            // Start the PHP session
    session_regenerate_id();    // regenerated the session, delete the old one.
}

I believe the default lifetime is 0 means the session lasts until the browser is shut. This code all works fine

However if i now need a remember me feature. If i make a remember me cookie that lasts, say, 3  months, do i have to change the code above so the remember me and session are in sync somehow. I would have thought it was ok for session information to be lost when the user closes the browser even with a remember me set to yes.

In the past i have never had to do this but im not a php programmer so im just checking it is ok. I used to program in .net so all this stuff happens behind the scenes really. Authentication there was handled by a cookie where the cookie lifetime dictated whether to remember the user.

Personally i prefer not passing all that data to the user in an authentcation cookie. However ive never had a remember me feature separate from the authentication cookie.

I hope its ok to keep it keep it how it is

Also, just a quick one. I'm also used to sliding expiration time on sessions. Do you have sliding expiration on remember me? I think it would be clearer not to personally

Many thanks experts
0
Comment
Question by:andieje
  • 2
4 Comments
 
LVL 82

Expert Comment

by:Dave Baldwin
ID: 40538521
I would never make the 'remember me' cookie part of the session cookie.
sliding expiration time on sessions
In PHP, the lowest current expiration time defines the expiration time for all sessions.  From http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
Note:
If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data.
0
 

Author Comment

by:andieje
ID: 40538980
Hi

I think i have misworded my question

The remember cookie is totally separate from the login details which are stored in session variables and there is also of course the session cookie

the default lifetime of the session cookie is 0 so data is lost when the browser closes

but what about expiry of the rememeber me cookie (a separate cookie). Its expiry is say  months in the future

so the session data will be lost when the browswer window is closed but the remember me cookie is still there

I'm not a php programmer so i was just checking that that is ok and i dont have to keep the 2 expiry dates in sync or do something else weird and wonderful ive never heard of

thanks
0
 
LVL 82

Accepted Solution

by:
Dave Baldwin earned 250 total points
ID: 40539002
No, the two cookies are unrelated to each other.  Each will have it's own expiration date that is based on the purpose of the cookie.  A 'remember me' cookie would have a longer expiration.  How long depends on what you want with it.
0
 
LVL 108

Assisted Solution

by:Ray Paseur
Ray Paseur earned 250 total points
ID: 40542968
There's a lot to understand here, and Dave has given you good advice.  Technically speaking you could say the two cookies are "sort of" related, inasmuch as they both identify a client; they just identify the client by different means, for different purposes.  The session says "is logged in now" and the other cookie says, "can be logged in now."

If you want the background and a bit more in-depth understanding, these articles will help.

Understanding Client/Server Stateless Protocols:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/A_11271-Understanding-Client-Server-Protocols-and-Web-Applications.html

The Application of the Protocols to the Design of the PHP Session:
http://www.experts-exchange.com/Programming/Languages/Scripting/PHP/A_11909-PHP-Sessions-Simpler-Than-You-May-Think.html

The Application of the PHP Session to the General Question of "Login" and "Remember"
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

One last note... Always re-authenticate before changing the data model.  By way of explanation, consider the behavior of the ATM machine.  It takes your card and PIN (two factor authentication) then allows a transaction. When you want another transaction, it asks for your PIN again.  This design prevents the unfortunate situation that would arise if you made a withdrawal, walked away, and the person in line behind you also made a withdrawal - from your account.  So even though your design can use a remember-me cookie (very useful for shopping carts, etc) please be sure your application knows who your client is before you ship products, divulge sensitive data, etc.  The usual approach is to ask for the password again before each sensitive transaction.
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Popularity Can Be Measured Sometimes we deal with questions of popularity, and we need a way to collect opinions from our clients.  This article shows a simple teaching example of how we might elect a favorite color by letting our clients vote for …
This article discusses how to create an extensible mechanism for linked drop downs.
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now