php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77251 Automatically extend PHP session cookie on each request
Submitted: 2018-12-06 13:26 UTC Modified: 2021-09-10 15:50 UTC
Votes:8
Avg. Score:3.5 ± 0.5
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:2 (33.3%)
From: mumu at seznam dot cz Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: 7.2.12 OS: N/A
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-12-06 13:26 UTC] mumu at seznam dot cz
Description:
------------
The built-in PHP session logic sents a cookie containing a session id when the session_start() call generates a new session id. The cookie's expiration date is set based on the cookie_lifetime setting.

However, the cookie is not resent on subsequent requests so its expiration date is never updated which causes that the cookie might expire before the session expiration.

The PHP sessions have two distinct timeouts:
- cookie expiration - when the browser forgets the cookie containing the session id
- session expiration - when the server forgets the session data

Example:
- The PHP session and cookie life is set to 5 time points
- A user interacts with the site at time points 1, 2 and 4. After each interaction, the expirations are as follows:
timepoint / PHP session expiration / cookie expiration
1 / 6 / 6
2 / 7 / 6
4 / 9 / 6
- If the sure then interacts with the site at time point 7, the cookie is already expired so it will not be sent to the server. As such, the request will behave like the PHP session has expired even the PHP session is technically valid.

To make the PHP sessions useful for this scenario, I suggest that the PHP will send the session cookie on each request so the cookie's expiration time is properly kept up to date.

Expected result:
----------------
The cookie expiration date is kept up to date so it is always cookie_lifetime after the respective session was last accessed.

Actual result:
--------------
The cookie expiration date is frozen on to be a cookie_lifetime after the respective session was created.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-06 15:01 UTC] spam2 at rhsoft dot net
session cookies have no cookie expiration - the definition of a session cookie is that it it has a TLL of 0 which makes it to a session cookie meaning it's gone when you close the browser
 [2018-12-06 15:07 UTC] mumu at seznam dot cz
That's a definition for a 'session cookie' from a browser point of view, not from a PHP point of view.

I would like the PHP session to be kept alive even when the browser is closed and than reopened.

For example, the user logs in into the web site and closes the browser. After the user reopens the browser again soon enough, the user will be still logged into the website.
 [2018-12-06 15:10 UTC] spam2 at rhsoft dot net
then code it yourself with your own cookie as everybody out here does in combination with "remember login" checkboxes  leading to trigger a re-login but don't try to absue SESSION COOKIES for what they are not
 [2018-12-08 07:13 UTC] yohgaki@php.net
-Status: Open +Status: Assigned -Type: Feature/Change Request +Type: Bug -Assigned To: +Assigned To: yohgaki
 [2018-12-08 07:13 UTC] yohgaki@php.net
Although session.c calls php_session_reset_id() within php_session_initialize(), it does not send session cookie header because PS(send_cookie) flag is 0 when session cookie is present.
 [2020-06-16 11:01 UTC] php dot net at itsacon dot net
As of June 2020, this bug still exists.

It basically means that if, for security reasons, you limit the lifetime of the session cookie, you automatically limit the lifetime of your sessions as well, regardless of user activity.

We have a script that sends keepalives every 10 seconds, and it still gets kicked out after the session cookie expires.

The only workaround I've found is calling session_regenerate_id() on every call, but that has its own set of side-effects.

It would be nice if responses would automatically send an updated cookie along, so any server call would reset the lifetime. If that's not possible, a session_refresh_cookie() function might be an acceptable solution.
 [2021-09-10 15:50 UTC] cmb@php.net
> For example, the user logs in into the web site and closes the
> browser. After the user reopens the browser again soon enough, the
> user will be still logged into the website.

And if another users opens the browser again, they are logged in
as well.  In my opinion, this is never desireable.  I'd rather
deprecate session.cookie_lifetime.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 10:01:30 2024 UTC