-1

I want my website's login session to last a long time, like a year. I have the code below on my index file.

The problem is, I'm logged out of my site after about 30 minutes of inactivity.

How can I make my login session last 1 year?

session_set_cookie_params(31536000, '/', 'www.domain.com');
session_start();

Also, I have this code on my php.ini file:

session.gc_maxlifetime = 31536000
session.cookie_lifetime = 31536000
John
  • 4,820
  • 21
  • 62
  • 92
  • 2
    You really don't want to do this normally. Think of the storage needed. You can store a cookie & log someone back in, but store _all the session data_ for a year? Well, you can: (1) on shared hosting, define your own session save dir. Make sure it's not a dir wiped on reboots (like `/tmp` often is) (2) set the gc maxlifetime to a year. – Wrikken Jan 25 '14 at 02:06
  • @Wrikken how could I keep user logged in permanently à la Facebook? (Unless they manually click the logout button) – John Jan 25 '14 at 02:08
  • Please, don't repeat the same question again when you don't find a solution for it. Rewrite it and offer a bounty to the original so it gains more attention. – Francisco Presencia Jan 25 '14 at 02:10
  • @FranciscoPresencia okay, I deleted the Cookie question. It's a different question. My last one was about Cookies. This one is about Sessions. – John Jan 25 '14 at 02:10
  • @FranciscoPresencia Thanks for the "Page Not Found" link! ;) – vallentin Jan 25 '14 at 02:11
  • The php.ini won't get read until the server is restarted, which can be days or more in a shared host. In local, try restarting apache. – Francisco Presencia Jan 25 '14 at 02:11
  • 1
    By (1) creating a cookie with come kind of random token & (2) storing that token somewhere & with the user-id it's for (database, files, etc.). Then, if a user visits your site, hasn't got a session, or no user in the session, check for that cookie, and if it exists & points to a user, log the user in. – Wrikken Jan 25 '14 at 02:11
  • @Vallentin, read the comments. He stated that he has deleted it (; – Francisco Presencia Jan 25 '14 at 02:11
  • Keep in mind that if you want to do it with a session cookie, and you're sharing a server, or any site on that server uses a _lower_ session timeout, the sites with the _lowest configured timeout_ will clean up the sessions of all other sites. Hence the remark about having a dedicated session save dir for that site only. – Wrikken Jan 25 '14 at 02:14
  • @Wrikken - Why not link [directly to the best answer](http://stackoverflow.com/a/17266448/451969)? – Jared Farrish Jan 25 '14 at 02:16
  • Extra hint: read the first comment (top voted) from the documentation. There's some sort of "bug" with the function as you are using it. – Francisco Presencia Jan 25 '14 at 02:18
  • 1
    @JaredFarrish: because I only wanted to close the question as yet-another-keep-me-logged-in-question. And as soon as I vote to close, that's the standard comment SO makes of it, which suits me just fine. People should read all the answers, not just the highest or accepted ones ;). – Wrikken Jan 25 '14 at 02:23
  • 1
    @Wrikken - That was tongue in cheek. And, y'know, it's at times annoying when a bad answer is accepted over a superior one. – Jared Farrish Jan 25 '14 at 02:26
  • @JaredFarrish: Ah, check, it's to late here for me to pick up on that (03:27... I really should go to bed :) ). The answer you linked is indeed superior to the one accepted, although the one with the bounty is the only one mentioning that without HTTPS you just might as well forget any security. So, read all the answers still goes :P – Wrikken Jan 25 '14 at 02:34

2 Answers2

1

edit your .htaccess file to add this line ....

php_value session.gc_maxlifetime 31536000

31536000 being a year in seconds

TheWebMann
  • 115
  • 1
  • 8
0

Hmm... if you do this, and it works, then a user would spend a full year logged in to your system only to be mysteriously logged out after that year.

Instead, why not store it for a more reasonable time, like 24 hours, or even just leave the default. Then, re-send the cookie when it's close to expiring. This will effectively keep someone logged in forever, provided they're actually active.

Niet the Dark Absol
  • 320,036
  • 81
  • 464
  • 592
  • Actually, I would like the login to be permanent unless the user manually logs out. So a permanent session. Is that possible? – John Jan 25 '14 at 02:11
  • That's what I just told you. Re-send the cookie every so often to keep them logged in. – Niet the Dark Absol Jan 25 '14 at 02:17
  • Well, then the horribly put out users would need to visit once every whatever period to regenerate or horror of horrors, use a password. Obviously, too much work. – Jared Farrish Jan 25 '14 at 02:22