why session lifetime always 0

phat_hip_prog · October 27, 2013

<?php
$cookieParams = session_get_cookie_params();
session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
session_start();
echo "lifetime: ".$cookieParams["lifetime"]."<br />";
?>

why is lifetime always 0?

Strider64 · October 27, 2013



// Start the session:

$seconds = 60;

$minutes = 60;

$hours = 24;

$days = 14;


session_set_cookie_params($seconds * $minutes * $hours * $days, "");

session_start();

phat_hip_prog · October 27, 2013



// Start the session:
$seconds = 60;
$minutes = 60;
$hours = 24;
$days = 14;

session_set_cookie_params($seconds * $minutes * $hours * $days, "");
session_start();

you not show printing of stored expiry date!

i need to know if session cookie was last set to 0 or a time in future, you see i already set time in example

objnoob · October 27, 2013

Get the parameters after setting them.

$cookieParams = session_get_cookie_params();
session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);

$cookieParams = session_get_cookie_params(); // get parameters

session_start();
echo "lifetime: ".$cookieParams["lifetime"]."<br />";

phat_hip_prog · October 27, 2013

ok, that work but need to do before start session because i want set different cookie time ddepending on existing value

here my full code

http://forums.phpfreaks.com/topic/283275-sessions/

objnoob · October 27, 2013

You cannot use session_get_cookie_params() to get the expiration date of an existing session cookie.

It is used to get the configuration values PHP will use when creating the session cookie.

If you need to evaluate the expiration of an existing session cookie, you should store the value in the session.

# check if there is a session cookie
if( ! isset($_COOKIE['SESSION_COOKIE_NAME']) ){
  // no session cookie: set parameters, start session, store cookie time in session
  $cookieTime = time()+31536000; 
  session_set_cookie_params($cookieTime, 'SESSION_COOKIE_PATH', 'SESSION_COOKIE_DOMAIN', false, true);
  session_start(); # start session
  $_SESSION['session_cookie_time'] = $cookieTime; # set session variable to remember time 
}else{
  // session cookie exists: start session, get cookie time, update cookie if required
  session_start(); # start session
  if( $_SESSION['session_cookie_time'] == SOME_VALUE ){
    $cookieTime = time()+31536000; # updated cookie time
    # update cookie using setcookie
    setcookie ( 'SESSION_COOKIE_NAME', session_id(), $cookieTime , 'SESSION_COOKIE_PATH' , 'SESSION_COOKIE_DOMAIN' , false );
    $_SESSION['session_cookie_time'] = $cookieTime; # update session variable to remember time
  }
}

phat_hip_prog · October 27, 2013

yeah but that uses an extra cookie!

my way works without another cookie, but have to set the session twice

so there is no way to get the expiration date or a session var before starting the session even though the session cookie params need to be set before starting the cookie?

phat_hip_prog · October 27, 2013

here's my latest version

 <?php

error_reporting(E_ALL);
ini_set('display_errors',E_ALL);

ini_set('session.use_only_cookies', 1);
$cookieParams = session_get_cookie_params();

$loggedin=true;
if(isset($_GET['logout'])){
	//session_set_cookie_params(-31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);  
	session_start();
	//session_destroy();
	session_regenerate_id(true);
	//setcookie(session_name(), '', time()-42000, '/');
	session_unset();	//unset($_SESSION['myvar']);
	session_destroy();
	
	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
	exit();
	
}elseif(isset($_GET['login'])){
	session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
	session_start();
	$_SESSION['myvar']="Logged in";
	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
	exit();
	
}else{
	$cookieParams = session_get_cookie_params();
	echo "lifetime: ".$cookieParams["lifetime"]."<br />";
	/*
	if($cookieParams["lifetime"]>0){
		echo "lifetime: here<br />";
		session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
	//if($cookieParams["lifetime"]<=0){
	}else{
		echo "lifetime: There<br />";
		session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);
	}
	*/
	
	/*
	//echo "myvar222: ".$_SESSION['myvar']."<br />";
	//if(isset($_COOKIE['PHPSESSID'])){
	if(isset($_COOKIE[session_name()])){
		echo "here<br />";
		session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
	}else{
		echo "there<br />";
		session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], false, true);
	}
	*/
	
	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);
	session_start();
	
	if(isset($_SESSION['myvar'])){
		//session_write_close();
		session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
		//session_start();
		session_regenerate_id(false);
	}
	
}

//session_regenerate_id();
echo session_id()."<br />";

if(isset($_SESSION['myvar'])){
	echo "myvar: ".$_SESSION['myvar']."<br />";
	echo "<a href='?logout=true'>logout</a><br />";
}else{
	echo "<a href='?login=true'>login</a><br />";
}
?>

objnoob · October 27, 2013

It does not use an extra cookie. If I call setcookie() and specify the NAME, PATH, DOMAIN, SECURE, HTTP ONLY of an existing cookie... the existing cookie is overwritten.

phat_hip_prog · October 27, 2013

ok I understand the setcookie overwrite, wasn't thinking

but when i test for the cookie existence on reopening the browser i'm logged out, see commented out bit in the else.

however using setcookie() does stop me having to regen the session id

<?php
error_reporting(E_ALL);
ini_set('display_errors',E_ALL);

ini_set('session.use_only_cookies', 1);
$cookieParams = session_get_cookie_params();

$loggedin=true;
if(isset($_GET['logout'])){
	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);  
	session_start();
	session_regenerate_id(true);
	session_unset();	//unset($_SESSION['myvar']);
	session_destroy();
	
	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
	exit();
	
}elseif(isset($_GET['login'])){
	session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
	session_start();
	$_SESSION['myvar']="Logged in";
	header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
	exit();
	
}else{
	/*
	if(isset($_COOKIE[session_name()])){
		echo "here<br />";
		session_set_cookie_params(time()+31536000, $cookieParams["path"], $cookieParams["domain"], false, true);
	}else{
		echo "there<br />";
		session_set_cookie_params($cookieParams["lifetime"], $cookieParams["path"], $cookieParams["domain"], false, true);
	}
	*/
	
	session_set_cookie_params(0, $cookieParams["path"], $cookieParams["domain"], false, true);
	session_start();
	
	if(isset($_SESSION['myvar'])){
		setcookie(session_name(), session_id(), time()+31536000 , $cookieParams["path"], $cookieParams["domain"], false, true);
	}
}

echo session_id()."<br />";

if(isset($_SESSION['myvar'])){
	echo "myvar: ".$_SESSION['myvar']."<br />";
	echo "<a href='?logout=true'>logout</a><br />";
}else{
	echo "<a href='?login=true'>login</a><br />";
}

?>

both ways in your example set the time to non zero, i also need to handle session only users

thanks for all help

objnoob · October 27, 2013

What are you trying to do? Be specific.

mentalist · October 27, 2013

oops, not my pc...

Edited October 27, 2013 by mentalist

phat_hip_prog · October 27, 2013

have an optionally stay logged in system and preset the session cookie params (either by setcookie or session_set_cookie_params()) and i'm after doing it all before session start

objnoob · October 27, 2013

Sorry, you don't keep a user logged in by altering the session cookie expiration time.

The session cookie expiration time and the session max lifetime are independent values, so setting the session cookie expiration far into the future does not guarantee the session is alive on the server when the user revisits with that session cookie.

phat_hip_prog · October 27, 2013

i don't alter the expiry date willy nilly, as is, it sets it to a future date if logged in and 0 if not logged in so that the session isn't carried over after the browser is closed

i'm just trying to preset the session cookie rather than doing it after,,, because, if you don't click "accept all cookies from this site" then you are prompted to accept a cookie (every page request), but if you preset the cookie then you aren't prompted all the time

objnoob · October 27, 2013

When a user logs in, you should start a session and create a session variable to store the id of the user that logged in.

$auth_user = false;  # define auth_user and set to false ( no user logged in )

if(isset($_GET['logout'])){
     session_start();
     unset($_SESSION['user']);  # unset the session variable used to store id of the user
     session_destory();
     header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
     exit();
}elseif(isset($_GET['login'])){
    session_start();
    $_SESSION['user']=USER_ID;  # SET USER ID HERE!
    header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
    exit();
}else{
    session_start();
    if(isset($_SESSION['user']) && $_SESSION['user']){
        $auth_user = $_SESSION['user'];
    }
}

Edited October 27, 2013 by objnoob

phat_hip_prog · October 27, 2013

When a user logs in, you should start a session and create a session variable to store the id of the user that logged in.


$auth_user = false;  # define auth_user and set to false ( no user logged in )

if(isset($_GET['logout'])){
     session_start();
     unset($_SESSION['user']);  # unset the session variable used to store id of the user
     session_destory();
     header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
     exit();
}elseif(isset($_GET['login'])){
    session_start();
    $_SESSION['user']=USER_ID;  # SET USER ID HERE!
    header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
    exit();
}else{
    session_start();
    if(isset($_SESSION['user']) && $_SESSION['user']){
        $auth_user = $_SESSION['user'];
    }
}

that code doesn't handle "stay logged in"

objnoob · October 27, 2013

Sure it does. As long as the session cookie is valid and the session is alive. The user is treated as being logged in (authenticated)!

phat_hip_prog · October 27, 2013

Sure it does. As long as the session cookie is valid and the session is alive. The user is treated as being logged in (authenticated)!

but what about after they close the browser and then reopen it? to do that youd need to set the expiry date to non zero, but if you set the expiry date non zero for all then even if not logged in and reopen browser then their session id persists (not the session vars because we invalidated them)

objnoob · October 27, 2013

The way you're trying to implement a "Remember Me" solution is riddled with security flaws.

objnoob · October 27, 2013

First, you should add a checkbox to the login form that says 'Remember Me'.

Next, we'll modify the code implement the remember me feature...

$auth_user = false;  # define auth_user and set to false ( no user logged in )

if(isset($_GET['logout'])){
     session_start();
     unset($_SESSION['user']);  # unset the session variable used to store id of the user
     session_destory();
     header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
     exit();
}elseif(isset($_GET['login'])){

    # authenticate user; start session
    
     session_start();
     $_SESSION['user']=USER_ID;  # SET USER ID HERE!
    
    # if the user checked remember me
    if(isset($_GET['chkRememberMe']) && $_GET['chkRememberMe']){
         # the user did check remember me, create an login key cookie that lasts a long time
         $key = $username .':'. sha256($user_id.$password.'iM_a_HaRdCoDeD_SaLt');
         setcookie('login_key', $key, time()+31536000); 
    }

    header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
    exit();
}else{
    session_start();
    if(isset($_SESSION['user']) && $_SESSION['user']){
        $auth_user = $_SESSION['user'];
    }else{
        # user is not logged in, lets check for a auto login key
        if(isset($_COOKIE['login_key'])){
            # key found, process authentication using this key.
            list($username, $key) = explode($_COOKIE['login_key']);
         
            # get the user id and user password from the database using the username found in the key
            # we store user_id into $user_id, and password into $password
            
            # now authenticate the key
            if($key === sha256($user_id.$password.'iM_a_HaRdCoDeD_SaLt')){
                # key is valid
                $_SESSION['user'] = $user_id;    
                header("Location: http://". $_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']);
                exit;
            }
                        

        }
    }
}

phat_hip_prog · October 28, 2013

using $_GET is out of the question!!! (oops you are only doing that for the form, not my choice of handling web forms)

i think you are missing the point about session lifetimes, something your code is still missing

the stay logged in checkbox was purposely missed out for simplicity of the example code

as i said the code i posted works fine, but i have to set the session cookie twice because i can't check before starting the session, even though to avoid extra cookie popups you have to set the session cookie lifetime before starting the session. in reality i'm just looking for a neater, more efficient and less intrusive way!

in your code, you should add something semi random to the key hash, say time (in your case last login time say), as it is the key will be the same across all that users logins, so it'd only need to be cracked once!!!

* in a production environment i have an install salt and a user specific salt, but if doing a hash i'd also add time in somewhere else all you have to do is check the keyspace of the max salt size, not very safe!

objnoob · October 28, 2013

Are you smoking crack?

1. i chose $_GET because you're using $_GET already

2. the key is derived from the user's password or password hash. if the user changes password, any old auto login keys will fail authentication.

3. adding something random makes no sense. you can't authenticate randoms!

4. keeping a session open on your server indefinitely is pretty stupid. hello session hijacking!

Anyways, I'm not here to write the code to your exact specifications. I'm here to show an example of how it could be done with no warranties implied!

Edited October 28, 2013 by objnoob

phat_hip_prog · October 28, 2013

Are you smoking crack?

Hell yeah!

1. i chose $_GET because you're using $_GET already

see!!

2. the key is derived from the user's password or password hash. if the user changes password, any old auto login keys will fail authentication.

3. adding something random makes no sense. you can't authenticate randoms!

you store it!

4. keeping a session open on your server indefinitely is pretty stupid. hello session hijacking!

that's called "stay logged in" and its a year not indefinitely!

show me a way using cookies which isn't susceptible to session hijacking?

and if you'd be so kind show me these flaws its riddled with?

Anyways, I'm not here to write the code to your exact specifications. I'm here to show an example of how it could be done with no warranties implied!

all i ever really asked was if it was possible to get the expiry before starting the session since you set the params first, never asked you to write owt kid

the code worked in the first place, just looking for someone who understood achieving it without resetting the session cookie, your example was retrograde whilst telling me it was better!!!

phat_hip_prog · October 28, 2013

Anyway never mind the buzzcocks, many thanks for your input.

Sign In

why session lifetime always 0

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Join the conversation

Important Information