Session expires too soon

[jords]

// Start the Session

require('connect.php');
ini_set('session.gc_maxlifetime', 7200);
session_set_cookie_params(7200);
session_start();

Above is my code.  How can I prolong the session so that it does not expire after a time limit?  As of right now it expires after 2 hours.  

[benanamen]

You could always just remove the two lines where you are setting time limits.

[mac_gyver]

edit: and you already have an existing thread for this question - http://forums.phpfreaks.com/topic/298576-session-expires-too-soon/

 

what exactly are you trying to accomplish by extending the session?

 

by definition and design, sessions expire when the browser is (completely) closed or when the garbage collection runs and removes old session data (the default of which is just 1440 seconds old.) you can change these, but you must have a good reason for doing so and understand under what conditions it will work.

[ginerjm]

You do realize that the value is expressed in seconds?  7200 = 2 hours.  If you insist that you Really need to extend a session for that long, bump up that 7200. 

 

Is this some kind of secured or sensitive application?  Do you really want a session on an unattended pc to just sit there for someone else to walk up and access?

[Jacques1]

Long-running or even unlimited sessions can be implemented with a “remember-me” feature (just like in this forum).

 

This is done on top of the standard PHP sessions and involves the following steps:

• If your site doesn't use HTTPS yet, you need it now.
• The user should have to explicitly request a long-running session (e. g. with a checkbox), because this is only safe in a trusted environment. By default, you should issue a standard PHP session. You don't want to user to be logged in forever on some shared PC.
• Create a separate database table with the the following fields: A hashed identifier, the user ID, the time when the session was started and the time of the last update.
• If the user checks the “remember me” box in the log-in procedure, you create a secret remember-me identifier with a secure random number generator. For example: bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM)) will generate 16 hexadecimally encoded random bytes. This identifier is stored in a remember-me cookie with the HttpOnly and Secure flag set.
• You hash the identifier with something like SHA-256. Then you store the hashed identifier, the user ID and the current time in your database table.
• On every page that involves the session, you first check if a standard PHP session is present. If that's not the case, you check if the user has provided a valid remember-me ID (hash the ID and look it up in your database). If this is the case, you start a new PHP session as if the user had just logged in.

So the remember-me cookie will constantly spawn short-lived standard sessions. To the user, this looks like a single long-running session.

 

Be aware that a remember-me feature is relatively difficult to implement and inherently unsafe. Often times, there are better alternatives:

• If your users are simply too lazy to type in their password all the time, they should use a password manager with an auto-type feature (like KeePass). Of course it's also possible to store the password in the browser, but then they should set a master password.
• If you don't want your users to lose unsaved input, simply save the data every few seconds.