session should never expire by itself

Question

I m using login function in my site with session. This session of mine gets expired after few minutes irrespective of that user has logged out or not. Now what i want is that the session should only gets expired when a user logs out.If a user doesnt log out his account and then comes back after 2-3 days even then he should appear logged in.

i have found some examples where they have incresed the time for a session to expire but i want that it should only expire on the log out event by the user irrespective of the time he took to log out.

how can i do that??

Edit:

session_cache_expire(0);
session_start();

is this the write way to do so ?

Answer 1

A solution that is often used, in this situation, is to :

• have a not too long session duration : it will expire if the user is not active (that's just the way it works -- and that's better for your server if you have lots of users)
• when user logs in, you set a cookie that contains what is needed for him to be recognized
• if he comes back on the site (with the cookie, and without having an active session), you use the informations contained in that cookie to auto-log him in, re-creating the session at the same time.

This way :

• you don't have thousands of sessions "active" with no good reason
• you keep the standard way sessions work

And you have the advantage of "never being looged out", at least from the user's point of view.

Also note that with "normal" sessions, the cookie containing the session id will be deleted when the user closes his browser -- so, he will be disconnected, no matter how long the session's lifetime is.
With the solution I propose, you are the one who sets up how long the cookie should remain on the user's computer ;-)

It means, though, that when a user manually logs-out, you have to delete both his session and the cookie, of course -- so he's not immediatly re-auto-logged-in.

Of course, you have to be careful about what you set in the cookie : a cookie is not quite secure, so don't store a password in it, for instance ;-)

Actually, this way of doing things is how the "remember me" feature often works ; except, here, your users will not have to check a checkbox to activate "remember me" ;-)

If you don't have the time to develop that kind of stuff, a pretty quick and dirty way is to use some Ajax request on all your pages, that will just "ping" a PHP page on the server -- this will keep the session active (but it's not quite a good way of doing things : you'll still have LOTS of sessions on the server, you'll have lots of useless request... and it will only work as long as the user doesn't close his browser).

Answer 2

Do you remove your cookies while testing? Are cookies enabled? Do you destory the session somewhere in your code?

Also, see my answer to another post: http://stackoverflow.com/questions/1300990/quick-question-about-sessions-in-php/1301012#1301012 which explains how to stay signed in. Just don't do a cronjob/sheduled task if you want the user to stay logged in forever.

Answer 3

You can't do that with the PHP internal session handling alone. PHP will always send out the session id in a session-cookie which will expire when the user closes his browser. To achieve some sort of auto-login you'll need some accompanying code that sets a longer-lasting cookie on the user's browser and handles the recognition of these cookies and the mapping between the cookies value and the respective user account.

Please note that this greatly affects security issues so you'll have to take care of a lot of things. Please read the following on how a possible auto-login feature could be working:

• Persistent Login Cookie Best Practice
• Improved Persistent Login Cookie Best Practice