Go Premium for a chance to win a PS4. Enter to Win

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 311
  • Last Modified:

session duration vs remember me duration in php


I am currently using sessions to deal with logins on my site. I took the code from a component on github

   // Gets current cookies params.
    $cookieParams = session_get_cookie_params();
    session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], $secure, $httponly);

    // Sets the session name to the one set above.

    session_start();            // Start the PHP session
    session_regenerate_id();    // regenerated the session, delete the old one.

I believe the default lifetime is 0 means the session lasts until the browser is shut. This code all works fine

However if i now need a remember me feature. If i make a remember me cookie that lasts, say, 3  months, do i have to change the code above so the remember me and session are in sync somehow. I would have thought it was ok for session information to be lost when the user closes the browser even with a remember me set to yes.

In the past i have never had to do this but im not a php programmer so im just checking it is ok. I used to program in .net so all this stuff happens behind the scenes really. Authentication there was handled by a cookie where the cookie lifetime dictated whether to remember the user.

Personally i prefer not passing all that data to the user in an authentcation cookie. However ive never had a remember me feature separate from the authentication cookie.

I hope its ok to keep it keep it how it is

Also, just a quick one. I'm also used to sliding expiration time on sessions. Do you have sliding expiration on remember me? I think it would be clearer not to personally

Many thanks experts
  • 2
2 Solutions
Dave BaldwinFixer of ProblemsCommented:
I would never make the 'remember me' cookie part of the session cookie.
sliding expiration time on sessions
In PHP, the lowest current expiration time defines the expiration time for all sessions.  From http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime
If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data.
andiejeAuthor Commented:

I think i have misworded my question

The remember cookie is totally separate from the login details which are stored in session variables and there is also of course the session cookie

the default lifetime of the session cookie is 0 so data is lost when the browser closes

but what about expiry of the rememeber me cookie (a separate cookie). Its expiry is say  months in the future

so the session data will be lost when the browswer window is closed but the remember me cookie is still there

I'm not a php programmer so i was just checking that that is ok and i dont have to keep the 2 expiry dates in sync or do something else weird and wonderful ive never heard of

Dave BaldwinFixer of ProblemsCommented:
No, the two cookies are unrelated to each other.  Each will have it's own expiration date that is based on the purpose of the cookie.  A 'remember me' cookie would have a longer expiration.  How long depends on what you want with it.
Ray PaseurCommented:
There's a lot to understand here, and Dave has given you good advice.  Technically speaking you could say the two cookies are "sort of" related, inasmuch as they both identify a client; they just identify the client by different means, for different purposes.  The session says "is logged in now" and the other cookie says, "can be logged in now."

If you want the background and a bit more in-depth understanding, these articles will help.

Understanding Client/Server Stateless Protocols:

The Application of the Protocols to the Design of the PHP Session:

The Application of the PHP Session to the General Question of "Login" and "Remember"

One last note... Always re-authenticate before changing the data model.  By way of explanation, consider the behavior of the ATM machine.  It takes your card and PIN (two factor authentication) then allows a transaction. When you want another transaction, it asks for your PIN again.  This design prevents the unfortunate situation that would arise if you made a withdrawal, walked away, and the person in line behind you also made a withdrawal - from your account.  So even though your design can use a remember-me cookie (very useful for shopping carts, etc) please be sure your application knows who your client is before you ship products, divulge sensitive data, etc.  The usual approach is to ask for the password again before each sensitive transaction.

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now