All geek questions in one place

How to keep a session active, even if the browser was accidentally closed?

I want to add something to my site. how can I maintain an active user session, even if they accidentally closed the browser. For example, on facebook. if you go to your site and close the tab or browser, when you open the browser again and visit facebook, they automatically detect the active user and do not redirect you to the login page. How should I do it? Thank you

+4
source share
4 answers

There are two corresponding settings that control the session lifetime.

First session.cookie-lifetime . This is the cookie lifetime, which by default is 0, which means that the cookie is destroyed when the browser is closed. By increasing this variable, you can set a longer life. This applies to server time, so you need to consider the time differences on your clients' machines and on your server. Assuming they were the same, setting the option, i.e. 3600 means that the session will expire in an hour. If you want to keep the session for a very long time, you will increase this number.

However, this is not enough. There is also session.gc-maxlifetime , this is the time after which the session data is considered garbage in the storage and destroyed. This is different from session.cookie-lifetime because this option checks the last access time of the session data, so it refers to the time the session data was last used (i.e. when the last user was active). Even if you set session.cookie-lifetime to a high value, this will not be enough because session.gc_maxlifetime is usually relatively low ( 1440 is the default value, which is only 24 minutes).

Despite the fact that you can set these parameters as relatively high values ​​and work with them, I would recommend not to do this, as this will leave a lot of unnecessary session data hanging in your session store due to the GC does not collect the actual ones (which also increases the likelihood that someone will capture a session in a system that is not properly protected). The best approach is to remember me a cookie. Basically, you assign a user ID and some authentication token that you store in the database for each user (this means that someone does not fake cookies) in a cookie, and give it a long service life. In the initialization code of your application, you will verify that the user is logged in. If he / she is not logged in, you will check if the cookie is set to remember me. If so, you pull the user out of the database based on the user ID in the cookie, and then check the authentication token in db is the same as in the cookie. If they match, you simply create a session and automatically register the user.

+18
source

By default, PHP keeps the user session open until the browser closes. You can override this behavior by changing the session.cookie-lifetime INI parameter:

http://www.php.net/manual/en/session.configuration.php

However, please see the rekot post for a complete answer.

+4
source

For those who are facing the same problem, holding a session cookie for a long time is easy, in the form of login, when you create a session for the first use of this code, it will set the cookie time for for a year (use your time as necessary )

 ini_set('session.cookie_lifetime', 60 * 60 * 24 * 365); ini_set('session.gc-maxlifetime', 60 * 60 * 24 * 365); session_start();

This should set the PHPSESSID cookie and your session will be safe ... but not the safest way, so use it if you are not against security issues.

+4
source

You must use cookies: http://php.net/manual/en/function.setcookie.php

Just store a unique value there that will help you identify the user.

In any case, I strongly recommend that you use some kind of structure, such as CodeIgniter or Zend Framework, unless you know how it works. It is easy to make critical errors in this code, and most frameworks are already well tested and safe to use.

0
source

Source: https://habr.com/ru/post/1396997/

More articles:


All Articles