What php.ini settings are required to allow a session to remain active for approximately two days?

Question

http://www.php.net/manual/en/session.configuration.php#ini.session.cookie-lifetime

says that a session.cookie_lifetime of 0 \"goes until the browser is closed\". Is

Answer 1

First off I do not recommend to anyone that they play around with session life unless they are aware of the consequences.

In regards to the your question there are actually two systems in place to manage a session.

Firstly if you are using PHP's default system you are employing a file based session system where by a file is created on your server which holds the actual data of the clients session, this file is normally named the same as the session id. The user then has a cookie send to there browser which holds the session id client side.

The setting you are referring to ONLY defines the life of the cookie in the clients browser not the life of the session.

A setting of 0: causes the cookie to last until the browser is closed.

A setting higher than 0: causes the session to last that many seconds and is only terminated after that time. The browser can be opened and closed as many times as the user wants and the cookie will remain until the time of expiry.

I believe but could be wrong that the setting is only the number of seconds from when the cookie is created and not an actual timestamp but I could be wrong.

You can change this setting in your php.ini or you can use a combination of session_get_cookie_params and session_set_cookie_params

Clarification

Ignoring server side. The client holds a cookie which holds the SessionID and allows them to access there session. If the cookie is lost the client no longer has the ability to access the session and is in essence lost.

A value of 0 will cause the clients browser to keep the cookie until the browser is closed. If the user was to keep there browser open for a week, the cookie would be kept for a week.

A value greater than 0 will cause the clients browser to keep the cookie for that number of seconds. E.g. If the value was set to 172800 seconds (2 days) the cookie would be held by the browser for 2 days. If the browser is closed during this 2 days the cookie is not destroyed, it is only lost after 2 days.

Why use 0

Using 0 is more secure because when a user has finished using your website on a public system and close the browser the cookie is lost and the session can no longer be accessed preventing another user from opening the browser and continuing the session. It is not reliable to presume that a user will end the session manually (e.g. logout) as many don't.