timeout data located in cookie files

[ajetrumpet]

can anyone tell me how to modify a timeout for a web app when logged in? Here are the known specs:

=> there is no session hash in the URL when logging in.
=> default timeout for no transacting activity is 5 minutes.

I really have no way to know if the timeout is located in the local cookie or stored in the web app [session] itself. It's a large PHP application that I'm referring to.  and before anyone asks, no it's not a hacking attempt.  This is simply an attempt by me to stop this little annoyance.  I realize that a lot of people do this sort of thing for security reasons.  Also, every transaction on the website (moving from page to page, clicking buttons) results in more than one file with a hash-based name being put in firefox's cache.

Thanks.

Adam

[gw1500se]

$_SESSION data is stored on the server. If you run 'phpinfo()' and look for the variable 'session.save_path' you can see exactly where it is. Cookies, on the other hand, are stored on the client.

Edited September 8, 2020 by gw1500se

[requinix]

You can see the expiration time of the cookie. Five minutes is really short, though, so I doubt the timeout is coming from an expired cookie.

Which means it's server-side and there's nothing you can do about it.

[ajetrumpet]

thanks guys.

12 hours ago, requinix said:

You can see the expiration time of the cookie. Five minutes is really short, though, so I doubt the timeout is coming from an expired cookie.

Which means it's server-side and there's nothing you can do about it.

req,

can you give me any insight into the %age of what web apps being used by companies set timeouts inside of cookie files that sit on a client vs. those that use sessions or any type of "pointer code" in a client cookie file to read server data and detect the timeout expiration?  which method is more common and why?  or is this just one of those pointless arguing topics that software developers go back and forth with forever only to end up in a draw?  😃

[requinix]

1 hour ago, ajetrumpet said:

can you give me any insight into the %age of what web apps being used by companies set timeouts inside of cookie files that sit on a client vs. those that use sessions or any type of "pointer code" in a client cookie file to read server data and detect the timeout expiration?

 

1 hour ago, ajetrumpet said:

which method is more common and why?  or is this just one of those pointless arguing topics that software developers go back and forth with forever only to end up in a draw?  😃

Forget "common" and think about "purpose".

A session cookie lasts potentially forever, but it disappears when the browser closes. Is "forever" a problem? User authentication should not last forever.
A regular cookie lasts until some particular time, assuming it does not get refreshed. But once that time passes, the data contained by the cookie is lost. Is losing that data a problem? User tracking data should not disappear or else you'll mistakenly count too many users.