cookie expiration with setcookie()

undertow

I've seen this topic discussed before, but I don't think I've ever seen a straight answer.

I've heard that the expiration date you use with setcookie() uses the server's clock, but the cookie actually expires based on client's clock. This could cause problems if the two were in different time zones. On my first site, I just set the expiration date so far in the future that it wouldn't be a problem. However on my new site, I want the expiration date to reflect on how long a session can be idle (ie, not navigating around any pages on the site) before it is considered inactive and would be ended (if the cookie with the sid expired, it wouldn't be able to be passed back to the server to be validated and the user would be essentially logged off). Having an expiration/idle time of an hour would be a problem if time zones or DST were a factor.

At this point I'm thinking of just screwing the use of cookies on my site, passing all needed info on the URL, and logging when the user's last activity was so that I can see if it's been more than an hour and acting accordingly.

So which way does it work?

SiteCubed_com

Hey,
I would just grab their session ID and setup a simple MySQL database:

key auto_increment
sessID int
valName varchar(50)
valValue text
itemAdded timestamp

then just read the table and get the itemAdded field, subtract the time from the current time and bam, you have a database-based session handler...PHP's session_xxx functions leave a little to be desired for the average programmer...

devarticles

Id go with sitecubed, its the best way to do it, because your relying on the time off your server, not the client time

undertow

So basically what you're saying is to keep the long expire times on the cookies but do all the date/time checking on the server side? Yeah, that would probably work, thanks 🆒.

I would still have URL session support for the people who don't want to have cookies on (actually I normally wouldn't do this, but I found out that a guy I know who will be visiting the site doesn't have cookies on so I want to make him happy 😃).

And I am with you that the builtin session functions leave a bit to be desired. When I'm writing my own this time around, I'm going to make them more generic so I can use them all over my site.

Thanks for the help!

Originally posted by SiteCubed.com
Hey,
I would just grab their session ID and setup a simple MySQL database:

key auto_increment
sessID int
valName varchar(50)
valValue text
itemAdded timestamp

then just read the table and get the itemAdded field, subtract the time from the current time and bam, you have a database-based session handler...PHP's session_xxx functions leave a little to be desired for the average programmer...