CODEWITHSUNDEEP
phpsession-variables
Makan
Makan

Reputation: 2756

setting session.gc_maxlifetime conditionally

I'm creating a login/logout system with PHP, where clients are able decide to use 'remember me' button or not. and in my login.php file, I check to see if they want to be remembered like this:

if(isset($_POST["remember_me"])){
    $_SESSION["remember_me"] = true;
}

hence, when i want to set gc_maxlifetime, I need to know that the client should be remembered or not. But as we know, gc_maxlifetime should be set before the session_start() and I can't access the

$_SESSION["remember_me"]

variable. What should I do? Is there any other way to tell server since when a certain session should be subject of garbage collector?

thanks in advance.

Upvotes: 2

Views: 465

Answers (1)

Hugo Delsing
Hugo Delsing

Reputation: 14173

I dont think its a good idea to use the sessions for persistent login. For one because having a different gc_maxlifetime for different session wont work. As the manual states

If different scripts have different values of session.gc_maxlifetime but share the same place for storing the session data then the script with the minimum value will be cleaning the data. In this case, use this directive together with session.save_path.

So unless you also want to change the session storage location, dont go there.

Besides this issue, you are not only keeping his login information alive on the server, but his entire session. If your application stores more data in sessions and you dont clean it up properly, your server ends up with big long lasting sessions that may never be used again. Although storing large amounts of data in sessions is wrong anyway, but that is another discussion.

For creating a remember me function I would check how-to-securely-implement-a-remember-me-feature on stackexchange for some pointers.

Upvotes: 1

Related Questions