[ACCEPTED]-how to keep the session active even if the browser was accidentally close?-php

Accepted answer
Score: 26

There's two relevant settings that control 47 session's lifetime.

The first is session.cookie-lifetime. This is 46 the lifetime of the cookie, which by default 45 is 0, which means the cookie is destroyed 44 when the browser is closed. You can set 43 a longer lifetime by increasing this variable. It 42 is relative to the server time, so you need 41 to account for differences in the time in 40 your clients' machine and your server's. Assuming 39 they were the same, setting the option to 38 i.e. 3600 would mean the session would expire 37 in an hour. If you want to keep the session 36 alive for a very long time, you increase 35 this number.

However changing this value 34 is not enough. There's also session.gc-maxlifetime, which is the 33 time after which the session data is seen 32 as garbage in the storage and is destroyed. This 31 differs from session.cookie-lifetime because this option checks 30 the last access time of the session data, so it is 29 relative to the time the session data was 28 last used (i.e. when the user was last active). Even 27 if you set your session.cookie-lifetime to a high value, it'll 26 not be enough because session.gc_maxlifetime 25 is relatively low usually (1440 is the default, which 24 is only 24 minutes).

While you can set these 23 settings both to relatively high values 22 and have it working, I would recommend against 21 doing so, as this will leave a lot of unnecessary 20 session data hanging around in your session 19 storage, due to the GC not collecting actual 18 dead session (which also increases the chance 17 of someone hijacking a session in a system 16 that is not properly secured). A better 15 approach is making a remember me cookie. Basically 14 you assign the user's ID and some authentication 13 token that you store in the database for 12 each user (this is to prevent someone spoofing 11 the cookie) in the cookie, and give it a 10 long lifetime. In your application's initialization 9 code you'll check if the user is logged 8 in. If he/she is not logged in, you'll check 7 if the remember me cookie is set. If it is, you pull 6 the user from the database based on the 5 user ID in the cookie, and then validate 4 the authentication token in the db is the 3 same one as in the cookie. If they match, you 2 simply create the session and log the user 1 in automatically.

Score: 7

For anyone that come across this same issue, to 9 keep the session cookie set for a long time 8 is easy, on the login form, when you are 7 creating the session for first time use 6 this code, it will set the cookie time for 5 a year (use your own time as its needed).

ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365);
ini_set('session.gc-maxlifetime', 60 * 60 * 24 * 365);

That 4 should set the PHPSESSID cookie and your 3 session will be safe... but is not the most 2 secure way, so use it if you don't mind 1 security issues

Score: 4

By default, PHP keeps a user's session open 2 until their browser is closed. You can override 1 that behaviour by changing the session.cookie-lifetime INI setting:


However please see rekot post for a full answer

More Related questions