Session should never expire by itself

php session session-timeout
22,024

Solution 1

A solution that is often used, in this situation, is to:

  • have a not-too-long session duration: it will expire if the user is not active (that's just the way it works -- and that's better for your server if you have lots of users)
  • when user logs in, you set a cookie that contains what is needed for him to be recognized
  • if he comes back on the site (with the cookie, and without having an active session), you use the informations contained in that cookie to auto-log him in, re-creating the session at the same time.

This way:

  • you don't have thousands of sessions "active" with no good reason
  • you keep the standard way sessions work

And you have the advantage of "never being logged out", at least from the user's point of view.

Also note that with "normal" sessions, the cookie containing the session id will be deleted when the user closes his browser -- so, he will be disconnected, no matter how long the session's lifetime is.
With the solution I propose, you are the one who sets up how long the cookie should remain on the user's computer ;-)


It means, though, that when a user manually logs-out, you have to delete both his session and the cookie, of course -- so he's not immediatly re-auto-logged-in.


Of course, you have to be careful about what you set in the cookie: a cookie is not quite secure, so don't store a password in it, for instance ;-)


Actually, this way of doing things is how the "remember me" feature often works; except, here, your users will not have to check a checkbox to activate "remember me" ;-)


If you don't have the time to develop that kind of stuff, a pretty quick and dirty way is to use some Ajax request on all your pages, that will just "ping" a PHP page on the server -- this will keep the session active (but it's not quite a good way of doing things: you'll still have LOTS of sessions on the server, you'll have lots of useless requests... and it will only work as long as the user doesn't close his browser).

Solution 2

You can't do that with the PHP internal session handling alone. PHP will always send out the session id in a session-cookie which will expire when the user closes his browser. To achieve some sort of auto-login you'll need some accompanying code that sets a longer-lasting cookie on the user's browser and handles the recognition of these cookies and the mapping between the cookies value and the respective user account.

Please note that this greatly affects security issues so you'll have to take care of a lot of things. Please read the following on how a possible auto-login feature could be working:

Share:
22,024
developer
Author by

developer

Updated on March 05, 2020

Comments

  • developer
    developer about 4 years

    I'm using login function in my site with session. This session of mine gets expired after a few minutes irrespective of whether the user has logged out or not. Now what I want is that the session should only get expired when a user logs out. If a user doesn't log out his account and then comes back after 2-3 days, even then he should appear logged in.

    I have found some examples where they have increased the time for a session to expire but I want that it should only expire on the log out event by the user irrespective of the time he took to log out.

    How can I do that?

    In particular, is this the right way to do so?

    session_cache_expire(0);
session_start();
  • developer
    developer almost 15 years
    i have set a cookie with the user name and a random number concatenated to it and then i've stored it into the database. When a page is called then i check for the system cookie and match it with the one in database if both matches then i display the person as logged in otherwise not.And When a person logs out i set the cookie to null. Is this the right way??? and is this secure???
  • Pascal MARTIN
    Pascal MARTIN almost 15 years
    Seems OK to me, at least -- it will never be "perfect security", as anyone using the guy's computer will be auto-logged-on, but that should be enough, I suppose :-)
  • void
    void almost 10 years
    I know its a pretty old thread, but can i do it by making session.gc_maxlifetime and session.cookie_lifetime to 0 in my php.ini file?
  • Sz.
    Sz. over 5 years
    @void, not on Debian systems, or others, where a separate garbage collection cron job reaps session files older than some timeout (30 mins default), regardless of the (native) PHP config. See e.g. serverfault.com/a/511705
  • emix
    emix about 5 years
    I've updated the question and replaced second link with the web archive snapshot.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What is the default session expiration time in PHP?
PHP session timeout
PHP - make session expire after X minutes
PHP - Destroy session if not any action in 10 minutes
Yii users being logged out after 15-30 minutes despite session timeouts being set to at least 1 day
Prevent session expired in PHP Session for inactive user
Displaying a online user list using PHP
Debian based systems Session killed at 30 minutes in special cron, how to override?
How to use $_GET?
PHPSESSID not being saved to cookie