problem with session_set_cookie_params

[bitt3n]

I am trying to set the session cookie to expire immediately, if the user specifies he is accessing the site from a public computer, and to expire after 100 days otherwise.

I use session_set_cookie_params(), and the session cookie expiration date updates properly, but the session behaves in the following strange way:

After setting the session cookie to expire in 0 days and then closing and reopening my browser and going to my site, I get logged in automatically (meaning the session is still active).

Here is what session_get_cookie_params() returns (which shows the session cookie has a life of 0 days):

session cookie params are Array ( [lifetime] => 0 [path] => / [domain] => [secure] => )

Then if I log out and log into the site again and specify that the cookie should be set to expire at 100 days, I close and re-open the browser and no longer get logged in automatically (suggesting that the session has expired. In this case session_get_cookie_params() returns:

session cookie params are Array ( [lifetime] => 8640000 [path] => / [domain] => [secure] => )

What is the source of this mystery, where an expired session logs me in, and an unexpired one does not?

[bitt3n]

I have been trying to fix this all day and am about to put my foot through my computer monitor. Any suggestions would be greatly appreciated and may help me avoid a visit to the hospital and subsequently, the computer store.

[michaellunsford]

you might try setting the expiration to NULL for the expire immediately one.

the expiration of the other you neglected to add the current date to the 100 days: time() + 8640000

[bitt3n]

using NULL sets the expiration to 0, with the same (bad) result. :(

according to php.net, unlike setcookie, session_set_cookie_params does not take a timestamp.

here is what one comment says, and several other comments confirm it along with my php reference book:

The first argument to session_set_cookie_params is the number of seconds in the future (based on the server's current time) that the session will expire. So if you want your sessions to last 100 days:

$expireTime = 60*60*24*100; // 100 days
session_set_cookie_params($expireTime);

I was using time()+$expireTime, which is WRONG (a lot of the session_set_cookie_params() examples I found get this wrong, but probably don't care because they are just doing "infinite" sessions).

---------

It makes no sense that the session cookie would have the right expiration value, but the session persistence would not be reliably affected by the expiration date. this is driving me insane.

[michaellunsford]

yep, you're right about the timestamp. I have it right in my own code, but the mind plays tricks.

Have you checked the server's time to make sure it's right (or close)? You'd be surprised how many times I had that problem.

[bitt3n]

yes the server is only 35 seconds different (slower) than my local computer's time.. and setting the session cookie expiration for -100 days and 100 days for login_temp=true and login_temp=false respectively doesn't help. :(

[michaellunsford]

if I use the following code:

[code=php:0]session_name("test_session");
session_set_cookie_params(NULL,"/");
session_start();[/code]


I get a cookie called "test_session" associated with my domain that has no expiration date. If I close my browser and reopen, the cookie is gone. I named the cookie so I could easily find it in my browser, but you might try the same thing just so you know it's a clean session.