How to keep a PHP session active even if the browser is closed?

by

There’s two relevant settings that control session’s lifetime.

The first is session.cookie-lifetime. This is the lifetime of the cookie, which by default is 0, which means the cookie is destroyed when the browser is closed. You can set a longer lifetime by increasing this variable. It is relative to the server time, so you need to account for differences in the time in your clients’ machine and your server’s. Assuming they were the same, setting the option to i.e. 3600 would mean the session would expire in an hour. If you want to keep the session alive for a very long time, you increase this number.

However changing this value is not enough. There’s also session.gc-maxlifetime, which is the time after which the session data is seen as garbage in the storage and is destroyed. This differs from session.cookie-lifetime because this option checks the last access time of the session data, so it is relative to the time the session data was last used (i.e. when the user was last active). Even if you set your session.cookie-lifetime to a high value, it’ll not be enough because session.gc_maxlifetime is relatively low usually (1440 is the default, which is only 24 minutes).

While you can set these settings both to relatively high values and have it working, I would recommend against doing so, as this will leave a lot of unnecessary session data hanging around in your session storage, due to the GC not collecting actual dead session (which also increases the chance of someone hijacking a session in a system that is not properly secured). A better approach is making a remember me cookie. Basically you assign the user’s ID and some authentication token that you store in the database for each user (this is to prevent someone spoofing the cookie) in the cookie, and give it a long lifetime. In your application’s initialization code you’ll check if the user is logged in. If he/she is not logged in, you’ll check if the remember me cookie is set. If it is, you pull the user from the database based on the user ID in the cookie, and then validate the authentication token in the db is the same one as in the cookie. If they match, you simply create the session and log the user in automatically.

More Related Contents:

  1. PHP session lost after redirect
  2. PHP Session Fixation / Hijacking
  3. Laravel – Session store not set on request
  4. What is the difference between Sessions and Cookies in PHP?
  5. What is the difference between session_unset() and session_destroy() in PHP?
  6. PHP authentication with multiple domains and subdomains
  7. My Laravel 5.2.10 Sessions wont persist
  8. Reopening a session in PHP
  9. how to unset cookie in PHP?
  10. How can I get an unknown username given an ID?
  11. Keeping session alive with Curl and PHP
  12. cleanup php session files
  13. PHP sessions that have already been started [duplicate]
  14. Session lost when switching from HTTP to HTTPS in PHP
  15. PHP – Session destroy after closing browser
  16. PHP Sessions with disabled cookies, does it work?
  17. How to kill a/all php sessions?
  18. What is PHP session_start()
  19. Can I use array_push on a SESSION array in php?
  20. Remotely destroy a session in php (user logs in somewhere else)?
  21. I cannot use mysql_* functions after upgrading PHP
  22. Codeigniter session is not working on PHP 7
  23. Is my understanding of PHP sessions correct?
  24. Why Session object destruction failed
  25. When and where should I use session_start?
  26. How do check if a PHP session is empty? [duplicate]
  27. Set httpOnly and secure on PHPSESSID cookie in PHP
  28. Extending session timeout in PHP via the .htaccess
  29. saving checkbox state on reload
  30. Issues with PHP 5.3 and sessions folder

Leave a Comment