PHP sessions: What if I set the session expiry to 10 days?

views:

242

answers:

+1 Q:

PHP sessions: What if I set the session expiry to 10 days?

I want the users of my application to stay logged in for very long periods of time. The problem is the the session expires on the server end, thus losing variables stored in the session. So, I'm setting the session to expire in 10 days.

My question is: Is there any security or performance issues of setting the GC expiry and cookie lifetime to 10 days? ini_set('session.cookie_lifetime', 864000); ini_set('session.gc_maxlifetime', 864000);

Thank you :)

+2 A:

Obviously the greater the session timeout the greater the risk of cookie/session hijacking but unless you're dealing with highly sensitive information (health records, online banking, etc) I would be inclined to do as you do. In fact I have.

cletus 2009-10-17 03:02:17

Thanks. My thinking was: It's got to be better than storing it in the DB and retrieving it each time the session expires. Cheers!

Amer 2009-10-17 03:04:28

You will increase the risk of session hijacking.

I would periodically call session_regenerate(). That would mitigate the risk for users that actually log in, but do nothing for those who don't.

Daren Schwenke 2009-10-17 03:03:07

The only other way that popped to my mind to keep a user logged in is a 'remember me' cookie, but on second thought, it will also be vulnerable for session hijacking. The app I'm building does not deal with any sensitive information, so, session hijacking will be unlikely. Oh, and I already use session_regenerate(), just that I want the user to stay logged in even if he takes no actions or leaves the site for a whole day.Thank you :)

Amer 2009-10-17 03:12:55

ansaurus

tags:

views:

answers:

PHP sessions: What if I set the session expiry to 10 days?

related questions