Long lasting sessions

1.7k views Asked by At

Is there are good library or logic to create this: long lasting (few years) sessions for user identification. Session management like in Gmail and Facebook will be bonus.

3

There are 3 answers

0
Mathieu Dumoulin On

You need to setup a mix of cookies and sessions. Remember that sessions only last until the browser is closed or even worst until the time between 2 requests goes over the time limit imposed by the server.

First To make all this possible you are forced to use cookies. To this end, note that if a user changes browser or flush his cookies, the permanent session will stop working.

Second thing is to create a hash in the cookie that can only be used from this location for that user. For example: use the hash of REMOTE_ADDR and the userid in your database. Therefore, it doesn't become a security threat because there are no information that can be extrapolated from the cookies apart from a hash that doesn't do much... for now.

Third, when the user is sending a request, check if that cookie is there and use the hash to compare against the same hash in your database. (You can put this hash in the user's table but i suggest creating another table so that a user can universaly log on from several places) This hash in your database will be the key to retrieving the account that you want to log in.

Fourth, when you find the account to login, remember to update the hash in the cookies and obviously at this point use the SESSION system within php to continue working on your app normally.

This method has been proved successful for many "Remember me" based sites...

5
Raj On

While logging in the user, set the session cookie expiration time to +10 years or whatever you want.

2
Your Common Sense On

You are confusing sessions and cookies. Session is a omething that ends by definition.
While cookie may lasts forever.

thus, set a cookie and start another session if recieved id.