Quick question about sessions in PHP

Question

Sessions are started via session_start(), I realize that much, but to make sessions persistent, they need an ID.

Now, the php.ini file has a setting:

session.use_cookies = 1

So I don't have to pass the ID around. But there's another setting:

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 0

Am I to understand that if I implement this and go to my website, login, do what I wanna do, shut the browser down and start it again some time later, that I won't be logged in anymore when I go back to my site?

EDIT: So to stay logged in, I will have to combine this with client-side cookies.

I'm guessing I'll need 2 database fields. 1 for the sessions ID, 1 for the ID I give to the cookie.

Answer 1

I would say yes. Do you see otherwise?

Answer 2

I think you understand it correctly, the PHP manual says:

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." Defaults to 0.

http://php.net/session.configuration#ini.session.cookie-lifetime

Answer 3

yes, that is the purpose of session cookie.

Answer 4

Nope, you won't be logged in anymore.

See my answer here: http://stackoverflow.com/questions/1290837/how-do-i-keep-a-user-logged-in-for-2-weeks/1290861#1290861 (See http://www.drupal.org/node/31506 for more information about sheduled tasks, if you want people to be signed out after an amount of time). It might help you.

Check the user agent string (just for security. If an hacker found out a key in some way... he can send a fake cookie and be logged in automatically. For people who switch a browser one time, they can just sign in again once after copying cookies. However, this would be a disaster for people who change or update browser nonstop).