5

http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime

says that a session.cookie_lifetime of 0 "goes until the browser is closed". Is that the absolute maximum length that the session can have (always wiped when the browser is closed), or would setting a session.cookie_lifetime of, say, 23243245234 yeild a result that would probably last beyond whenever the browser is closed?

More to the point, what php.ini settings would I need to set to make sessions last somewhere along the lines of two days, and is there a security reason to recommend a certain (I would expect lower) time limit, and if so what would the recommended period be?

Intended behavior Edit: Here is what I want to achieve, perhaps I'll be able to understand the behavior by getting some settings suggestions as opposed to the specific values of the php.ini settings:

I want the session to last as long as possible, up to (approximately) two days. If the session can last beyond browser close, I would like it to do so (up to approximately two days).

What would I set for php.ini settings (and yes, I have direct edit access to the php.ini) to acheive that?

Kzqai
  • 22,588
  • 25
  • 105
  • 137
  • possible duplicate of [How do I expire a PHP session after 30 minutes?](http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes) – Gordon Apr 07 '11 at 07:07
  • Many of the answers to that question deal with creating a system to enforce a determinate time period. I understand that session death will be the result of some random factors underlying the garbage collection system, I'm fine with a fuzzy time period, I just want to extend it to be comfortably long. – Kzqai Apr 07 '11 at 07:24
  • Err, comfortably long on average, that is. – Kzqai Apr 07 '11 at 07:41
  • 1
    Ok, I was wrong, the linked duplicate does deal with the exact issue that I'm struggling with, just only in a comment that was hidden, which is where gumbo mentions that a value of 0 for session.cookie_lifetime will die on browser close, whereas some long number will not. I'm gonna accept here and try to make a clarified overview answer on that linked question. – Kzqai Apr 07 '11 at 07:57

5 Answers5

11

There are two parameters you need to worry about regarding sessions. The first is the TTL for the cookie, the other is how old a session data file can become before it gets garbage collected.

session.cookie_lifetime determines, in seconds, how long the cookie sent to the browser will last. It defaults to 0, which means until the browser closes. For two days it'd need to be 172800 seconds.

session.gc_maxlifetime determines, also in seconds, how long before session data marked on the server will be regarded as garbage and can be deleted.

Setting these two ini directives should give you sessions that survive for two days, except for one more thing of which you need to be aware.

Some operating systems do automated garbage collection on their default temporary directories. If PHP is configured to store session data there, then if the GC period for the temp directory is short you may find yoruself losing your session before the value in session.gc_maxlifetime is reached. To avoid this, make sure PHP is storing session data to a location other than /tmp or whatever the temporary directory of your host operating system is.

GordonM
  • 31,179
  • 15
  • 87
  • 129
4

It means that the session is lost at the time the browser gets closed.

That is, the cookie containing that session id gets deleted together with the onclose event of the browser.

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser

The recommended period depends basically on what your session needs to hold. Say you want to keep your user logged in the website (remind me), you should go for the largest period. Just as an example.

If you want the session alive for approximately two days, you just count

60 [seconds] * 60 [minutes] * 48 [hours] = 172800 seconds

Luca Fagioli
  • 12,722
  • 5
  • 59
  • 57
  • This fails to clarify. -What- means that the session is cleared on close? 0? I already got that part. some number equivalent to years? what. – Kzqai Apr 07 '11 at 06:58
  • Ok, so 0 is the longest lifetime without a persistent login system, good to know. I actually realized that I wasn't framing the question correctly. What I really want to know is what settings I -do- have to set in order to allow for long sessions, 'cause I haven't been too successful so far. – Kzqai Apr 07 '11 at 07:02
  • @Tchalvak, 0 is NOT the longest time you can have. Its the most secure. – James Apr 07 '11 at 07:16
  • @James what on the earth does "the most secure" means? – Luca Fagioli Apr 07 '11 at 07:20
  • @Luca Fagioli, The reason PHP defaults to 0 is because it causes the cookie to die when the browser is closed. Prevent another user from coming along, opening the browser and continuing the last users session. Which is more secure. – James Apr 07 '11 at 08:14
  • @James ok, now it makes sense. – Luca Fagioli Apr 07 '11 at 08:15
  • @Luca Fagioli, Your right, that was a quite a random and unexplained statement. In an attempt to better explain myself I have clarified in my answer. – James Apr 07 '11 at 08:30
1

First off I do not recommend to anyone that they play around with session life unless they are aware of the consequences.

In regards to the your question there are actually two systems in place to manage a session.

Firstly if you are using PHP's default system you are employing a file based session system where by a file is created on your server which holds the actual data of the clients session, this file is normally named the same as the session id. The user then has a cookie send to there browser which holds the session id client side.

The setting you are referring to ONLY defines the life of the cookie in the clients browser not the life of the session.

A setting of 0: causes the cookie to last until the browser is closed.

A setting higher than 0: causes the session to last that many seconds and is only terminated after that time. The browser can be opened and closed as many times as the user wants and the cookie will remain until the time of expiry.

I believe but could be wrong that the setting is only the number of seconds from when the cookie is created and not an actual timestamp but I could be wrong.

You can change this setting in your php.ini or you can use a combination of session_get_cookie_params and session_set_cookie_params

Clarification

Ignoring server side. The client holds a cookie which holds the SessionID and allows them to access there session. If the cookie is lost the client no longer has the ability to access the session and is in essence lost.

A value of 0 will cause the clients browser to keep the cookie until the browser is closed. If the user was to keep there browser open for a week, the cookie would be kept for a week.

A value greater than 0 will cause the clients browser to keep the cookie for that number of seconds. E.g. If the value was set to 172800 seconds (2 days) the cookie would be held by the browser for 2 days. If the browser is closed during this 2 days the cookie is not destroyed, it is only lost after 2 days.

Why use 0

Using 0 is more secure because when a user has finished using your website on a public system and close the browser the cookie is lost and the session can no longer be accessed preventing another user from opening the browser and continuing the session. It is not reliable to presume that a user will end the session manually (e.g. logout) as many don't.

James
  • 2,609
  • 3
  • 20
  • 27
  • Ok, I'm confused now. Will the opening & closing of the browser kill the session, even if the cookie remains? Or will the closing of the browser kill the session (not sure how it would even know that). I'm starting to hate the php.ini. I'm going to edit the question with specifics for exactly the behavior that I'm trying to get, and hopefully someone will be able to suggest the right values for php.ini settings to acheive that. – Kzqai Apr 07 '11 at 07:17
  • That's really confusing. With cookie_lifetime 0, if the user closes the browser, the session is LOST. – Luca Fagioli Apr 07 '11 at 07:19
  • The session held on the server is not killed by the browser closing when the setting is 0, the cookie is. The browser just no longer has an ID to request access to is session because the cookie has been destroyed. – James Apr 07 '11 at 07:20
  • @Luca Fagioli, it will still be active on the server until the php garbage collector removes the file. The client just doesn't know the ID anymore to access it. – James Apr 07 '11 at 07:21
  • @James I know that, but from the user's point of view, the session is lost. – Luca Fagioli Apr 07 '11 at 07:22
  • @Luca Fagioli, this is a technical descussion not from the users point of view. A developer needs to understand the functionally of the system they are employing. The session is not lost server side when the cookie is lost. The cookie could be re-added by the user or the server and the session resumed. There fore it is not lost. – James Apr 07 '11 at 07:27
  • Ok, so from what I can get from this discussion, to ensure -at most- a time period of X, regardless of the browser being open or closed you have to set session.gc_maxlifetime to X(in seconds) AND session.cookie_lifetime to X(in whatever unit of time the cookie relies on). A session.cookie_lifetime of 0 will cause the session die before it's time if the browser is closed. – Kzqai Apr 07 '11 at 07:38
  • @James Ok, but please be more clear. Tchalvak didn't want to know how the server-client session mechanism works. So, please add the discussion as a deeper view on the question. Otherwise is confusing. – Luca Fagioli Apr 07 '11 at 07:43
  • @Luca Fagioli, I was simply trying to point out like Gordon who's answer has been accepted that simply changing the life of the cookie will not in all instances cause the life of a session to last the amount of time specified and relying on it without understand how it all works in dangerous. – James Apr 07 '11 at 08:10
  • @James sorry i've been too hard. I've already moved away the negative vote. – Luca Fagioli Apr 07 '11 at 08:13
  • @Luca Fagioli, I'm also sorry, I'm getting as frustrate with myself as I am with you. I'm a programmer first and foremost, my ability to explain myself is far less than my understanding of code. I was simply trying to explain to the best of my ability and most clarity and seem to have failed miserably. – James Apr 07 '11 at 08:32
  • Don't feel frustrated dude. Just try to isolate what the asking person needs. Satisfy that isolated need, and then, if you feel for, integrate *that* need with all the information you want, as separated addon. I don't want to play teacher, i just hope this little suggestion can help you somehow. – Luca Fagioli Apr 07 '11 at 09:16
0

Wait there is the confusion .....

"Session" will not lost if the the browser get closed....its the "Cookies" which get lost on close of browser.

"Session" is altogether is different from "Cookies". Session stays at server and can be destroyed explicitly. Whereas "Cookies" resides at client end and can be destroyed manually or at a particular time interval or on browser close.

Anil Purswani
  • 1,857
  • 6
  • 35
  • 63
  • The session is kept on the client with a cookie. If you want to use cookieless session, you have to deal with sessionId parameter appended to the URL. – Luca Fagioli Apr 07 '11 at 07:12
  • I think the confusion here might lie with the fact that session may or may not be killed by the cookie being lost. – Kzqai Apr 07 '11 at 07:42
0

Short (but slightly inaccurate) solution

Set session.gc_maxlifetime to 172800 and session.cookie_lifetime to 0.

Extended and more accurate solution

In general, session.gc_maxlifetime is the configuration to control the session’s life time. So setting that directive to 172800 will make the session to expire after 172800 seconds (theoretically). But as the calculation of the age of a session is slightly odd, you might want to implement a more accurate expiration scheme. See my answer to How do I expire a PHP session after 30 minutes? for more information.

And setting the session ID’s cookie lifetime to 0, the cookie will be valid until the browser is closed.

Community
  • 1
  • 1
Gumbo
  • 643,351
  • 109
  • 780
  • 844