session duration vs remember me duration in php
Posted on 2015-01-08
I am currently using sessions to deal with logins on my site. I took the code from a component on github
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);
// Sets the session name to the one set above.
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
I believe the default lifetime is 0 means the session lasts until the browser is shut. This code all works fine
However if i now need a remember me feature. If i make a remember me cookie that lasts, say, 3 months, do i have to change the code above so the remember me and session are in sync somehow. I would have thought it was ok for session information to be lost when the user closes the browser even with a remember me set to yes.
In the past i have never had to do this but im not a php programmer so im just checking it is ok. I used to program in .net so all this stuff happens behind the scenes really. Authentication there was handled by a cookie where the cookie lifetime dictated whether to remember the user.
Personally i prefer not passing all that data to the user in an authentcation cookie. However ive never had a remember me feature separate from the authentication cookie.
I hope its ok to keep it keep it how it is
Also, just a quick one. I'm also used to sliding expiration time on sessions. Do you have sliding expiration on remember me? I think it would be clearer not to personally
Many thanks experts