I want to set up my site so that user sessions will be saved for 24 hours from the last time the site was accessed, whether or not the user’s browser has closed. From playing around with session_set_cookie_params(), it appears I can either set the PHPSESSID cookie to expire when the browser is closed or after a certain amount of time from when the user first accessed the site.
If I am understanding this correctly, if I set the cookie lifetime to 24 hours and a user accesses the site at 23 hours and 59 minutes after they first accessed the site, their session will only last 1 minute before the cookie has expired.
How can I set it so the PHPSESSID cookie’s expiration will be reset to 24 hours every time a user accesses the site? Are there any side effects to explicitly resetting the cookie like this:
setcookie('PHPSESSID',session_id(),60*60*24);
In general I’m trying not to override much of the existing session handling, though I am saving sessions in the database.
Do yourself a favor and update the master settings (ini file) with the new timeout, it is easier and you dont need to deal with every other issue, garbage collector, override of the cookie etc.
EDIT:
On a side note, you should also consider if you really need a session timeout on 24 hours as that is a pretty long time.
It’s a shared server with .htaccess disabled, so I can’t set it there though I could through php. However, isn’t the default cookie expiration set to when the browser closes?
Why is that? 24 hours actually seems pretty short to me.
The cookie life has nothing to do with how long a session is stored on the server. Even if you set the session to 24 hours in the cookie, if the server is set to 1 hour, then garbage collect will delete the session after one hour if it get initiated.
You can use “ini_set(“session.gc_maxlifetime”, “86400”);” to set the session life if you dont have acecss to the ini file.
The longer the session is set to live, the easier it will be for someone to hijack a session. Also keep in mind that even if your session is set to live 1 hour, it might actually live for 6 hours or longer all depending on your garbage collect settings and the traffic that the website receives.
As I said in my original post, I’m storing sessions in the database so I can control how long the sessions are saved. I just want to link users to their saved session for up to 24 hours after they last accessed the site.
Gotcha. So what is the preferred length for a session? Should I be setting a separate cookie to keep cart data longer (the main reason I want the session to last so long). I’m not too worried about somebody hijacking a cart session, because all it contains are product ids and quantities.
