php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77251 Automatically extend PHP session cookie on each request
Submitted: 2018-12-06 13:26 UTC Modified: 2021-09-10 15:50 UTC
Votes:8
Avg. Score:3.5 ± 0.5
Reproduced:6 of 6 (100.0%)
Same Version:2 (33.3%)
Same OS:2 (33.3%)
From: mumu at seznam dot cz Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: 7.2.12 OS: N/A
Private report: No CVE-ID: None
 [2018-12-06 13:26 UTC] mumu at seznam dot cz
Description:
------------
The built-in PHP session logic sents a cookie containing a session id when the session_start() call generates a new session id. The cookie's expiration date is set based on the cookie_lifetime setting.

However, the cookie is not resent on subsequent requests so its expiration date is never updated which causes that the cookie might expire before the session expiration.

The PHP sessions have two distinct timeouts:
- cookie expiration - when the browser forgets the cookie containing the session id
- session expiration - when the server forgets the session data

Example:
- The PHP session and cookie life is set to 5 time points
- A user interacts with the site at time points 1, 2 and 4. After each interaction, the expirations are as follows:
timepoint / PHP session expiration / cookie expiration
1 / 6 / 6
2 / 7 / 6
4 / 9 / 6
- If the sure then interacts with the site at time point 7, the cookie is already expired so it will not be sent to the server. As such, the request will behave like the PHP session has expired even the PHP session is technically valid.

To make the PHP sessions useful for this scenario, I suggest that the PHP will send the session cookie on each request so the cookie's expiration time is properly kept up to date.

Expected result:
----------------
The cookie expiration date is kept up to date so it is always cookie_lifetime after the respective session was last accessed.

Actual result:
--------------
The cookie expiration date is frozen on to be a cookie_lifetime after the respective session was created.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-06 15:01 UTC] spam2 at rhsoft dot net
session cookies have no cookie expiration - the definition of a session cookie is that it it has a TLL of 0 which makes it to a session cookie meaning it's gone when you close the browser
 [2018-12-06 15:07 UTC] mumu at seznam dot cz
That's a definition for a 'session cookie' from a browser point of view, not from a PHP point of view.

I would like the PHP session to be kept alive even when the browser is closed and than reopened.

For example, the user logs in into the web site and closes the browser. After the user reopens the browser again soon enough, the user will be still logged into the website.
 [2018-12-06 15:10 UTC] spam2 at rhsoft dot net
then code it yourself with your own cookie as everybody out here does in combination with "remember login" checkboxes  leading to trigger a re-login but don't try to absue SESSION COOKIES for what they are not
 [2018-12-08 07:13 UTC] yohgaki@php.net
-Status: Open +Status: Assigned -Type: Feature/Change Request +Type: Bug -Assigned To: +Assigned To: yohgaki
 [2018-12-08 07:13 UTC] yohgaki@php.net
Although session.c calls php_session_reset_id() within php_session_initialize(), it does not send session cookie header because PS(send_cookie) flag is 0 when session cookie is present.
 [2020-06-16 11:01 UTC] php dot net at itsacon dot net
As of June 2020, this bug still exists.

It basically means that if, for security reasons, you limit the lifetime of the session cookie, you automatically limit the lifetime of your sessions as well, regardless of user activity.

We have a script that sends keepalives every 10 seconds, and it still gets kicked out after the session cookie expires.

The only workaround I've found is calling session_regenerate_id() on every call, but that has its own set of side-effects.

It would be nice if responses would automatically send an updated cookie along, so any server call would reset the lifetime. If that's not possible, a session_refresh_cookie() function might be an acceptable solution.
 [2021-09-10 15:50 UTC] cmb@php.net
> For example, the user logs in into the web site and closes the
> browser. After the user reopens the browser again soon enough, the
> user will be still logged into the website.

And if another users opens the browser again, they are logged in
as well.  In my opinion, this is never desireable.  I'd rather
deprecate session.cookie_lifetime.
 [2024-04-12 01:21 UTC] muelltrennung at gmx dot net
> then code it yourself with your own cookie as everybody out here does in combination with "remember login" checkboxes  leading to trigger a re-login but don't try to absue SESSION COOKIES for what they are not
Why in the world should every one code that on there own if an almost complete solution is in place already. Furthermore if session cookies were not meant to be used by PHP after a user has closed his browser window, then there would not be session_set_cookie_params with a lifetime parameter.

> And if another users opens the browser again, they are logged in as well.  In my opinion, this is never desireable.  I'd rather deprecate session.cookie_lifetime.
And if the first user does not close his browser window, another user also has the option to login. Also please let that be the decision of the developers. I might have a screen lock policy in place for the intranet and do not want to relogin 10 times a day after closing my browser window. Furthermore most companies (mostly shops) want exactly that the user is not logged out after closing the window. You might not like it, but they don't care, if PHP does not support it, they find another way and then they probably make it worse using permanent storage or fail to make it in a secure way, so please implement that for security reasons and to save time for devs.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 13:01:29 2024 UTC