By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
429,334 Members | 2,776 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 429,334 IT Pros & Developers. It's quick & easy.

setting multiple PHPSESSID durations - asking for trouble?

P: n/a
Greetings,

I want users to select the duration time of their sessions. I'm able to
do it by setting the PHPSESSID cookie duration. Is this reliable, or is
it not recommended for some reason?

This is the test :
open browser, close browser, reopen browser

if( ! $_COOKIE["PHPSESSID"]) // opened browser first time - no session
{
// create a session
session_start();

// modify cookie duration
myCookieAdd("PHPSESSID",session_id(), $userSelectedNbHours);

// set some variable
$_SESSION["bozo"]='clown';

}
else // reopened browser - cookie still exists, variable still exists
{
session_start();
echo $_SESSION["bozo"]; // prints "clown"
}

any thoughts?

Jun 13 '06 #1
Share this Question
Share on Google+
1 Reply


P: n/a
>I want users to select the duration time of their sessions. I'm able to
do it by setting the PHPSESSID cookie duration. Is this reliable, or is
it not recommended for some reason?


It's something you need to depend on the browser doing, so it's
unreliable. Don't depend on it for high security, especially against
tampering by users. Also don't depend on it for accurate timing;
a browser may only expire cookies when it starts up or shuts down
(not just opening/closing one window), and it uses the browser's
clock (which may or may not be set with the correct year) rather
than the server clock. If the user WANTS it to work correctly, and
others don't use that computer, you're probably OK.

It's also possible to track the expiration time of a session in the
session data in $_SERVER. If the session has expired, you make
them log in again. You might also want to track the LAST hit rather
than time of login (like you're doing by setting the cookie with a
new expiration time every time).

Gordon L. Burditt
Jun 13 '06 #2

This discussion thread is closed

Replies have been disabled for this discussion.