Do you have a question? Post it now! No Registration Necessary. Now with pictures!
- Posted on
June 13, 2006, 3:25 pm
rate this thread
I want users to select the duration time of their sessions. I'm able to
do it by setting the PHPSESSID cookie duration. Is this reliable, or is
it not recommended for some reason?
This is the test :
open browser, close browser, reopen browser
if( ! $_COOKIE["PHPSESSID"]) // opened browser first time - no session
// create a session
// modify cookie duration
// set some variable
else // reopened browser - cookie still exists, variable still exists
echo $_SESSION["bozo"]; // prints "clown"
Re: setting multiple PHPSESSID durations - asking for trouble?
It's something you need to depend on the browser doing, so it's
unreliable. Don't depend on it for high security, especially against
tampering by users. Also don't depend on it for accurate timing;
a browser may only expire cookies when it starts up or shuts down
(not just opening/closing one window), and it uses the browser's
clock (which may or may not be set with the correct year) rather
than the server clock. If the user WANTS it to work correctly, and
others don't use that computer, you're probably OK.
It's also possible to track the expiration time of a session in the
session data in $_SERVER. If the session has expired, you make
them log in again. You might also want to track the LAST hit rather
than time of login (like you're doing by setting the cookie with a
new expiration time every time).
Gordon L. Burditt