Keep $_SESSION alive with autorenewing counter

Question

I'd like to keep sessions alive for three days, and whenever they visit the page it is renewed up to three days again. Basically if they don't visit the site for three days, their session drops.

ini_set('session.cookie_lifetime',60*60*24*3); //saw on a similar SO question
session_start();

The above piece of code is at the top of top.php, a file that is include()ed on every single page.

$_SESSION["username"] = $username;
$_SESSION["password"] = $hashedpass;
$_SESSION["authtoken"] = $authkey; //authentication key

The above is on login.php which sets the $_SESSION data according to verification it exists in SQL.

Maybe this is a function of WAMP, but whenever I close the browser, the session terminates despite the php.ini params being changed. Am I perhaps using the wrong bit on line 1 of top.php?

Are you sure the session is terminated on the server end, not the client end? Many browsers will clear out sessions when they're shut down. — TRiG, Aug 31 '13 at 21:16
Using `$_SESSION` is relatively new to me, so I'm not entirely sure. My browser doesn't terminate sessions for other sites that I frequent, so I have little to believe it would selectively wipe the session from only my site. — gator, Aug 31 '13 at 21:18

score 2 · Accepted Answer · answered Aug 31 '13 at 21:19

2

Use cookies, I doubt you can control your session lifetime.

What you need to do is basically store session variables needed in cookies, and upon a user entering the site, if the session variables are not set, check if there exist cookies with those variables and load the data from the cookie into session. Or you can just access them from the cookies

In the case you have sensitive data that you don't want to store in cookies. You can store this data in some form of persistent storage on your server (Database or File, Database is preferable) and store the ID of this data in a cookie on the user side. When the user accesses your site, grab the ID from the cookie, and load the data.

answered Aug 31 '13 at 21:19

Joshua Kissoon

3,155
5
26
57

I don't particularly want to store sensitive data into cookies (or worse yet, have the user make their own cookies for malicious purposes). I was hoping to do this entirely with sessions. – gator Aug 31 '13 at 21:21
1

@JoshuaKissoon, i should go for the DB option. Just the `uid` in the cookie and the `expiration date` + some more needed info in the DB – Mathlight Aug 31 '13 at 21:25
Yes, DB has many advantages over files... And I'm guessing your application already uses a DB – Joshua Kissoon Aug 31 '13 at 21:28

score 0 · Answer 2 · answered Aug 31 '13 at 21:26

0

I've just found that:

ini_set('session.cookie_lifetime', 60*60*24*3);
ini_set('session.gc_maxlifetime', 60*60*24*3);
session_start();

...works fine. Even when browser closes, it keeps the session alive.

answered Aug 31 '13 at 21:26

gator

3,225
6
32
66

But think about the fix that Joshua gave. It's very common to save "sessions" in the db... – Mathlight Aug 31 '13 at 21:30

Keep $_SESSION alive with autorenewing counter

2 Answers2

Linked