Page 1 of 1

Session Handling

Posted: Sat Jul 08, 2006 11:53 am
by tecktalkcm0391
I am having a problem keeping users logged in. I was wondering about: session.gc_maxlifetime. Could I just use that to set the life time to something to keep them logged in forever or what? See I am trying to do the remember me thing, and I am getting so confused.

Posted: Sat Jul 08, 2006 12:03 pm
by Benjamin
Maybe add a cookie so that if a session isn't found it will check for the login key in the cookie and create a new session.

Posted: Sat Jul 08, 2006 12:23 pm
by bdlang
As astions alluded to, this is normally referred to as a 'persistent login'.

If you haven't already, I strongly recommend picking up Chris Shiflett's book Essential PHP Security.

Some guidelines (paraphrasing Shiflett from his book):
  • Force the cookie to expire within a reasonable time frame, eg. a week
  • Create a new cookie upon successful login (every time)
  • If the user is a frequenter, create a new cookie upon successful validation of said cookie to give the user the appearance of an 'indefinite login'
  • View the cookie as a 'remember me' only for 'public events', and not for changing passwords, personal information, etc. Always force a relogin or force password validation prior to allowing the user access to 'sensitive info'