westman Posted May 16, 2018 Share Posted May 16, 2018 (edited) Hi everyone, I would like my sessions to time out after 7 days but they only last 30 minutes. I am using php 7. Here is what I have...php.ini - I always keep this file on the server ;register_globals = off ;allow_url_fopen = On ;expose_php = Off ;max_input_time = 60 ;variables_order = "EGPCS" ;extension_dir = ./ ;upload_tmp_dir = /tmp ;precision = 12 ;SMTP = relay-hosting.secureserver.net ;url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset=" ;memory_limit = 51M ;post_max_size = 10M ;file_uploads = On upload_max_filesize = 7M ;max_execution_time = 7200 ;max_input_time = 7200 session.gc_maxlifetime = 21800 ; Only uncomment zend optimizer lines if your application requires Zend Optimizer support ;[Zend] ;zend_optimizer.optimization_level=15 ;zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3 ;zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3 ;zend_extension=/usr/local/Zend/lib/Optimizer-3.3.3/ZendExtensionManager.so ;zend_extension_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3/ZendExtensionManager_TS.so ; -- Be very careful to not to disable a function which might be needed! ; -- Uncomment the following lines to increase the security of your PHP site. ;disable_functions = "highlight_file,ini_alter,ini_restore,openlog,passthru, ; phpinfo, exec, system, dl, fsockopen, set_time_limit, ; popen, proc_open, proc_nice,shell_exec,show_source,symlink" phpinfo.php - I never keep this file on the server session Session Support enabled Registered save handlers files user Registered serializer handlers php_serialize php php_binary Directive Local Value Master Value session.auto_start Off Off session.cache_expire 180 180 session.cache_limiter nocache nocache session.cookie_domain no value no value session.cookie_httponly Off Off session.cookie_lifetime 0 0 session.cookie_path / / session.cookie_secure Off Off session.gc_divisor 100 100 session.gc_maxlifetime 21800 21800 session.gc_probability 1 1 session.lazy_write On On session.name PHPSESSID PHPSESSID session.referer_check no value no value session.save_handler files files session.save_path no value no value session.serialize_handler php php session.sid_bits_per_character 4 4 session.sid_length 32 32 session.upload_progress.cleanup On On session.upload_progress.enabled On On session.upload_progress.freq 1% 1% session.upload_progress.min_freq 1 1 session.upload_progress.name PHP_SESSION_UPLOAD_PROGRESS PHP_SESSION_UPLOAD_PROGRESS session.upload_progress.prefix upload_progress_ upload_progress_ session.use_cookies On On session.use_only_cookies On On session.use_strict_mode Off Off session.use_trans_sid 0 0 php session_start(); $_SESSION['id'] = $id; how do I get my sessions to last longer that 30 minutes? Edited May 16, 2018 by westman Link to comment Share on other sites More sharing options...
justsomeguy Posted May 16, 2018 Share Posted May 16, 2018 You can get an overview of the session settings here: http://php.net/manual/en/session.configuration.php There's also some stuff here, there's a section near the end about auto-login: http://php.net/manual/en/features.session.security.management.php Note that they do not recommend using a high value for session lifetime as a way to implement auto-login. In my applications, I just have a background request fire off to the server every 20 minutes or so to keep the session open as long as they have the page open. Link to comment Share on other sites More sharing options...
westman Posted May 16, 2018 Author Share Posted May 16, 2018 (edited) well how does Gmail and Facebook keep your sessions open for a very long time? if I use... ini_set('session.gc_maxlifetime', 86400); session_set_cookie_params(86400); session_start(); is it bad practice for keeping a session for a day? Edited May 16, 2018 by westman Link to comment Share on other sites More sharing options...
justsomeguy Posted May 16, 2018 Share Posted May 16, 2018 They probably use single-use auth tokens similar to how the manual suggests. That would be a normal cookie, not a session cookie, that tracks who is logged in and contains some kind of unique key which gets updated on every request. So each cookie can only be used once, and every time it's used a new token and cookie is set. Link to comment Share on other sites More sharing options...
westman Posted May 17, 2018 Author Share Posted May 17, 2018 would this code be a good way of keeping my users logged in for a long time? if (isset($_SESSION['id'])) { // check to see if user in logged in with session // user continuous to be logged in code goes here } else if (isset($_COOKIE["id"])) { // if user session has ended but they still have a cookie // auto login code goes here }else{ // send user to login page } Link to comment Share on other sites More sharing options...
justsomeguy Posted May 17, 2018 Share Posted May 17, 2018 In general yeah, you would check to see if they have an open session first, and if not then check for a cookie. You need to make sure those cookies and what you do with the data are secure. Just storing a user ID and nothing else is not good, that means anyone can create a cookie for your site with whatever data they want in it and you'll log them in as whatever user they say. Link to comment Share on other sites More sharing options...
westman Posted May 18, 2018 Author Share Posted May 18, 2018 I was thinking of having 1 cookie array that has email, password, and id inside or should I use one cookie for each value? Link to comment Share on other sites More sharing options...
justsomeguy Posted May 18, 2018 Share Posted May 18, 2018 You should have a cookie that contains a 1-time use hash value, most definitely do not store passwords in cookies. If someone has a cookie that has a hash, you look up which user that hash belongs to, create a new hash for them, delete the old cookie and give them a cookie with the new hash. Every hash should only be used once, that will increase security a little bit. Every time someone comes to your site with a cookie like that you figure out who they are, create another unique hash, save it in the database for them, and update the cookie. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now