problem with session_set_cookie_params

bitt3n

I am trying to set the session cookie to expire immediately, if the user specifies he is accessing the site from a public computer, and to expire after 100 days otherwise.

I use session_set_cookie_params(), and the session cookie expiration date updates properly, but the session behaves in the following strange way:

After setting the session cookie to expire in 0 days and then closing and reopening my browser and going to my site, I get logged in automatically (meaning the session is still active).

Here is what session_get_cookie_params() returns (which shows the session cookie has a life of 0 days):

session cookie params are Array ( [lifetime] => 0 [path] => / [domain] => [secure] => )

Then if I log out and log into the site again and specify that the cookie should be set to expire at 100 days, I close and re-open the browser and no longer get logged in automatically (suggesting that the session has expired. In this case session_get_cookie_params() returns:

session cookie params are Array ( [lifetime] => 8640000 [path] => / [domain] => [secure] => )

What is the source of this mystery, where an expired session logs me in, and an unexpired one does not?

HalfaBee

You need to add the current timestamp the the 100 day figure.

bitt3n

hm.. php.net suggests that it should be set without using timestamp.. here is what one comment says, and several other comments confirm it along with my php reference book:

The first argument to session_set_cookie_params is the number of seconds in the future (based on the server's current time) that the session will expire. So if you want your sessions to last 100 days:

$expireTime = 606024*100; // 100 days
session_set_cookie_params($expireTime);

I was using time()+$expireTime, which is WRONG (a lot of the session_set_cookie_params() examples I found get this wrong, but probably don't care because they are just doing "infinite" sessions).

bitt3n

I just tried your suggestion in order to be sure but it doesn't fix the problem. 🙁

bitt3n

any other suggestions would be highly appreciated I have been working on this all day with no success.

HalfaBee

Sorry, I was thinking about cookies, not the session ones.

Are you calling this function before session_start on every page?

bitt3n

yep. here's the code that begins my scripts (nothing comes before this):

if (!empty($COOKIE['login_temp'])) {
if ('not_public_terminal' == ($COOKIE['login_temp'])) {
session_set_cookie_params(100246060, '/', 'www.godshalk.com', 1);
//echo('login_temp cookie is \'not_public_terminal\', cookie params set to 100 days.');
} else { // if login_temp is not FALSE
session_set_cookie_params(-100246060, '/', 'www.godshalk.com', 1);
//echo('login_temp cookie is \'public_terminal\', cookie params set to 0 days.');
}
} else { // if login_temp not set
session_set_cookie_params(-1002460*60, '/', 'www.godshalk.com', 1);
//echo('login_temp cookie is NOT SET, cookie params set to 0 days.');
}

session_start();

I print out the session cookie value and the login_temp cookie value on each page. when login_temp is false, I see this:

session cookie params are Array ( [lifetime] => 8640000 [path] => / [domain] => [secure] => )

after session start, session cookie params are Array ( [lifetime] => 8640000 [path] => / [domain] => [secure] => )

the cookie is not_public_terminal

when login_temp is true, I see this:

session cookie params are Array ( [lifetime] => -8640000 [path] => / [domain] => [secure] => )

after session start, session cookie params are Array ( [lifetime] => -8640000 [path] => / [domain] => [secure] => )

the cookie is public_terminal

(I set expiration to 100 days in the past since 0 wasn't working, but -100 days doesn't work either).

So the login_temp cookie is getting set correctly, and the session cookie is getting set correctly, but the expiration date doesn't appear to affect whether the session is preserved (or at least not in any predictable way).

I could just store the session variables as individual cookies and then when the user visits the site, update the session variables with the variables in the cookies if the login_temp cookie indicates it's a private terminal, but that seems both insecure and a kludgy solution. This is driving me insane. 🙁