setting multiple PHPSESSID durations - asking for trouble?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

I want users to select the duration time of their sessions. I'm able to
do it by setting the PHPSESSID cookie duration. Is this reliable, or is
it not recommended for some reason?

This is the test :
open browser, close browser, reopen browser

if( ! $_COOKIE["PHPSESSID"]) // opened browser first time - no session
   // create a session

   // modify cookie duration
  myCookieAdd("PHPSESSID",session_id(), $userSelectedNbHours);

  // set some variable

else  // reopened browser - cookie still exists, variable still exists
  echo $_SESSION["bozo"]; // prints "clown"

any thoughts?

Re: setting multiple PHPSESSID durations - asking for trouble?

Quoted text here. Click to load it

It's something you need to depend on the browser doing, so it's
unreliable.  Don't depend on it for high security, especially against
tampering by users.  Also don't depend on it for accurate timing;
a browser may only expire cookies when it starts up or shuts down
(not just opening/closing one window), and it uses the browser's
clock (which may or may not be set with the correct year) rather
than the server clock.  If the user WANTS it to work correctly, and
others don't use that computer, you're probably OK.

It's also possible to track the expiration time of a session in the
session data in $_SERVER.  If the session has expired, you make
them log in again.  You might also want to track the LAST hit rather
than time of login (like you're doing by setting the cookie with a
new expiration time every time).

                    Gordon L. Burditt

Site Timeline