Session Handling

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
tecktalkcm0391
DevNet Resident
Posts: 1030
Joined: Fri May 26, 2006 9:25 am
Location: Florida

Session Handling

Post by tecktalkcm0391 »

I am having a problem keeping users logged in. I was wondering about: session.gc_maxlifetime. Could I just use that to set the life time to something to keep them logged in forever or what? See I am trying to do the remember me thing, and I am getting so confused.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Maybe add a cookie so that if a session isn't found it will check for the login key in the cookie and create a new session.
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

As astions alluded to, this is normally referred to as a 'persistent login'.

If you haven't already, I strongly recommend picking up Chris Shiflett's book Essential PHP Security.

Some guidelines (paraphrasing Shiflett from his book):
  • Force the cookie to expire within a reasonable time frame, eg. a week
  • Create a new cookie upon successful login (every time)
  • If the user is a frequenter, create a new cookie upon successful validation of said cookie to give the user the appearance of an 'indefinite login'
  • View the cookie as a 'remember me' only for 'public events', and not for changing passwords, personal information, etc. Always force a relogin or force password validation prior to allowing the user access to 'sensitive info'
Post Reply