Session persistance

wad

I'm rather new at sessions, and I'm trying to make a simple login/logout script.

I give the user the option to stay signed in for a set amount of time, or a never-ending session. I set both session global variables and a cookie, containing that particular session ID.

What I failed to realize is sessions only work while the browser is open. How do I make it so a session will persist across multiple browser openings? I think the answer has something to do with a database tracking, but I just want a bit more background.

Thank you

Drakla

[man]session_set_cookie_params[/man] away from zero - but remember the server will still kill the session if the user is inactive for a certain time - default is 24 minutes, so unless they reload or move between pages where sessions are started then bye bye.

wad

I think I'm using session_set_cookie_params correctly.

http://www.superwad.ca/blog-test2/doLogin.phps

Could you take a look at that and tell me?

Thank you

Drakla

You call it once, before session_start.

wad

Ok then, this might not work for me. Let's say I set session_set_cookie_params(21600) (about 6 hours). But the user chose to stay logged in until he clears his cookies. Or a user only wants to stay logged in for 10 minutes, and their session won't expire until 6 hours later.

If there a way to have the session expire only when the user wants? Obviously, I'd need to run a check for a cookie I set using setcookie(), and generate a new session_id(). I just need a point in the right direction with this.

Drakla

If they decide to log out you can call session_destroy

wad

Forgive me, I don't think I'm properly understanding. Let me just put a few examples on the table.

User A wants to stay logged in only for 10 minutes. He stays on the site for 8 minutes, and then closes the browser. The session expires 2 minutes from now right?

User B wants to stay logged in forever. He closes and re-opens the browser many times per day. Does he remain logged in?

If I do what you're proposing, a session cookie will be created for a static length of time, regardless of the users wishes.

I understand that when the user submits to logout, I can destroy the session at that time. I'm just worried about session persistance across multiple openings of a browser window on the same computer. If I set a session cookie to expire in 6 hours, but a user only wants to stay logged in for 10 minutes, how do I do that?

Drakla

When you say a user wants to stay logged in for 10 minutes, is that ten minutes from every page view, or 10 minutes from when they logged in? In that case the easiest way to do it is set a value in the session that has an expire time and check / reset it every page view as applicable. If they try to access it after that then destroy the session, make them relog.

User B - his cookie may be set to last for 30 days, but unless you change php.ini to change session.gc_maxlifetime then it's considered dead after 1440 seconds, 24 minutes, and the garbage collector will burn it the next time it's called.