session times: php.ini and phpinfo.php

[westman]

Hi everyone,
I would like my sessions to time out after 7 days but they only last 30 minutes.
I am using php 7. Here is what I have...

php.ini - I always keep this file on the server

;register_globals = off
;allow_url_fopen = On

;expose_php = Off
;max_input_time = 60
;variables_order = "EGPCS"
;extension_dir = ./
;upload_tmp_dir = /tmp
;precision = 12
;SMTP = relay-hosting.secureserver.net
;url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="

;memory_limit = 51M
;post_max_size = 10M
;file_uploads = On
upload_max_filesize = 7M
;max_execution_time = 7200
;max_input_time = 7200

session.gc_maxlifetime = 21800

; Only uncomment zend optimizer lines if your application requires Zend Optimizer support

;[Zend]
;zend_optimizer.optimization_level=15
;zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3
;zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3
;zend_extension=/usr/local/Zend/lib/Optimizer-3.3.3/ZendExtensionManager.so
;zend_extension_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3/ZendExtensionManager_TS.so

; -- Be very careful to not to disable a function which might be needed!
; -- Uncomment the following lines to increase the security of your PHP site.

;disable_functions = "highlight_file,ini_alter,ini_restore,openlog,passthru,
;              phpinfo, exec, system, dl, fsockopen, set_time_limit,
;                     popen, proc_open, proc_nice,shell_exec,show_source,symlink"

phpinfo.php - I never keep this file on the server

session
Session Support    enabled
Registered save handlers    files user
Registered serializer handlers    php_serialize php php_binary
Directive    Local Value    Master Value
session.auto_start    Off    Off
session.cache_expire    180    180
session.cache_limiter    nocache    nocache
session.cookie_domain    no value    no value
session.cookie_httponly    Off    Off
session.cookie_lifetime    0    0
session.cookie_path    /    /
session.cookie_secure    Off    Off
session.gc_divisor    100    100
session.gc_maxlifetime    21800    21800
session.gc_probability    1    1
session.lazy_write    On    On
session.name    PHPSESSID    PHPSESSID
session.referer_check    no value    no value
session.save_handler    files    files
session.save_path    no value    no value
session.serialize_handler    php    php
session.sid_bits_per_character    4    4
session.sid_length    32    32
session.upload_progress.cleanup    On    On
session.upload_progress.enabled    On    On
session.upload_progress.freq    1%    1%
session.upload_progress.min_freq    1    1
session.upload_progress.name    PHP_SESSION_UPLOAD_PROGRESS    PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix    upload_progress_    upload_progress_
session.use_cookies    On    On
session.use_only_cookies    On    On
session.use_strict_mode    Off    Off
session.use_trans_sid    0    0

php
session_start();
$_SESSION['id'] = $id;

how do I get my sessions to last longer that 30 minutes? 

Edited May 16, 2018 by westman

[justsomeguy]

You can get an overview of the session settings here:

http://php.net/manual/en/session.configuration.php

There's also some stuff here, there's a section near the end about auto-login:

http://php.net/manual/en/features.session.security.management.php

Note that they do not recommend using a high value for session lifetime as a way to implement auto-login.  In my applications, I just have a background request fire off to the server every 20 minutes or so to keep the session open as long as they have the page open.

[westman]

well how does Gmail and Facebook keep your sessions open for a very long time?

if I use...
 

ini_set('session.gc_maxlifetime', 86400);
session_set_cookie_params(86400);
session_start();

is it bad practice for keeping a session for a day?

Edited May 16, 2018 by westman

[justsomeguy]

They probably use single-use auth tokens similar to how the manual suggests.  That would be a normal cookie, not a session cookie, that tracks who is logged in and contains some kind of unique key which gets updated on every request.  So each cookie can only be used once, and every time it's used a new token and cookie is set. 

[westman]

would this code be a good way of keeping my users logged in for a long time?

if (isset($_SESSION['id'])) {
// check to see if user in logged in with session
// user continuous to be logged in code goes here	
}
else if (isset($_COOKIE["id"])) {
// if user session has ended but they still have a cookie
// auto login code goes here	
}else{
// send user to login page	
}

 

[justsomeguy]

In general yeah, you would check to see if they have an open session first, and if not then check for a cookie.  You need to make sure those cookies and what you do with the data are secure.  Just storing a user ID and nothing else is not good, that means anyone can create a cookie for your site with whatever data they want in it and you'll log them in as whatever user they say.

[westman]

I was thinking of having 1 cookie array that has email, password, and id inside or should I use one cookie for each value?

[justsomeguy]

You should have a cookie that contains a 1-time use hash value, most definitely do not store passwords in cookies.  If someone has a cookie that has a hash, you look up which user that hash belongs to, create a new hash for them, delete the old cookie and give them a cookie with the new hash.  Every hash should only be used once, that will increase security a little bit.  Every time someone comes to your site with a cookie like that you figure out who they are, create another unique hash, save it in the database for them, and update the cookie.