#1234 Make Session Never Expire

[Anonymous]

Hi all,

I'm using php session type. I'd like to achieve that users do not have to login very often.
The system should behave like sites where you have a "Stay logged in" checkbox in the login form.

Currently my changes in config.inc.php are the following:

$auth["session_cookie"]["include_ip"] = FALSE;
$auth["session_php"]["session_expire_time"] = (60*60*24*365); // one year

Is it possible to configure the session so that the user never has to login a second time unless he hits "logout"?

[John Beranek]

You've got a few issues there...

If you use the 'php' session type you're going to hit PHP's session "garbage collector" when trying to make sessions last as long as a year. PHP keeps sessions on disk as files, so has code to delete sessions after a configured time.

This is explained under:

http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

If you don't want to mess about with PHP configuration, you'd be better off with the 'cookie' session scheme. For that you need to set $auth["session_cookie"]["session_expire_time"] too.

[John Beranek]

Oh, and if you want your cookies to be secure, you really should set $auth["session_cookie"]["secret"] too.

[Anonymous]

Thanks for giving advice. I changes the auth configuration as you suggested ("..." is a placeholder) and set the expire time to 5 years which shoud be sufficent.

$auth["session"] = "cookie";
$auth["session_cookie"]["secret"] = "...";
$auth["session_cookie"]["include_ip"] = FALSE;
$auth["session_cookie"]["session_expire_time"] = (60*60*24*365*5);