setcookie

[jimfog]

After how much time I should make the cookie expire? What is the rule of thumb for this, if any? I am using setcookie to accomplish this.Using fiddler I saw that w3scools forum keeps the cookies for about to 5-6 days.

[niche]

If there's one thing I've learned it's not to put a lot of faith in rules of thumb (aka tradition). Just have a reason, preferably a good reason, based a little more on user convenience and security than on coder convenience. I usually like sites that know me because my cookie hasn't expired (or my session) unless it's my bank!

Edited August 24, 2012 by niche

[boen_robot]

It really depends on what the cookie is about.A session cookie should ideally expire with the session.A cookie that remembers some sort of preference not associated with a particular user (theme, language, some sort of filtering, etc.) may as well live for weeks and months, assuming you always let the user override it.A cookie that keeps a record of something that is applicable only within a certain time interval (e.g. IDs of "new" records; although for that particular scenario, you're probably better off doing this check at the server, and act accordingly) should expire after that interval is over (e.g. if you define "new" as being "from today", make the cookie expire in 24 hours).

[niche]

Good cookie policy. Thanks boen robot.

[jimfog]

I am talking about the cookie where the preferences of the user are "remembered"-the cookie which is "responsible" for when the user visits the site and he is automatically logined(if of course has checked previously the "remember me " option.) I think this is a session cookie. Suppose the user does not want to logout. Usually, how long is set the duration of such a cookie.Putting it also another way, for how much time, the user can "wait" that when re-visiting the site he would be auto login?

[niche]

I think the answer depends on how often a user revisits your site and whether that interval in increasing or decreasing. If it's decreasing pick the average. If it's increasing you have bigger problems.

[boen_robot]

You can simply set the session (and cookie) timeout to something longer, and some time within the session, use session_regenerate_id() to reset the timeout before the session has expired.Of course, upon login, and regeneration, you'll have to set the date and time into the session, and check them on each request to see if it's regeneration time.Of course, this approach means that if the user doesn't make any HTTP requests between the regeneration point and the expiration point, the session will "naturally" expire, and they'll have to login again. If your natural session timeout is something significantly longer than the frequency users use the application (like, if you have an app people are likely to use almost every day, and set the timeout to 2 weeks), chances of users' sessions naturally expiring become minimal.