I had the following in a method that gets called by each page that is login-controlled:
session_set_cookie_params(30*60); // time out the cookie after 30 minutes
ini_set('session.gc_maxlifetime', 30 * 60); // session timeout value: 30 minutes
session_start();
What I discovered is that once the user logs in, the session cookie's expiration date never changed, even after they accessed other controlled pages. I even added an error_log() call right after the session_start() to make sure that it was being accessed on each page request.
After some fruitless Googling, I added a call to session_regenerate_id(), under the theory that the session cookie's value would change and thus would be updated. My hunch proved correct, and now the cookie's expiration time updates to 30 minutes later on each page request.
session_set_cookie_params(30*60); // time out the cookie after 30 minutes
ini_set('session.gc_maxlifetime', 30 * 60); // session timeout value: 30 minutes
session_start();
session_regenerate_id(); // this is needed for some reason to ensure cookie expiration time updates on browser
So, the work-around is good enough, but I'd like to understand why it's necessary, and if there is a cleaner way to handle it than bothering with session_regenerate_id() (or is that considered to be the clean way?).
PS: I tested this on both Firefox and IE, and both exhibited the same behavior in this regard. The session.cache_limiter setting is 'nocache', if that has any bearing on the matter.
