php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77251 Automatically extend PHP session cookie on each request
Submitted: 2018-12-06 13:26 UTC Modified: 2018-12-08 07:13 UTC
From: mumu at seznam dot cz Assigned: yohgaki (profile)
Status: Assigned Package: Session related
PHP Version: 7.2.12 OS: N/A
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: mumu at seznam dot cz
New email:
PHP Version: OS:

 

 [2018-12-06 13:26 UTC] mumu at seznam dot cz
Description:
------------
The built-in PHP session logic sents a cookie containing a session id when the session_start() call generates a new session id. The cookie's expiration date is set based on the cookie_lifetime setting.

However, the cookie is not resent on subsequent requests so its expiration date is never updated which causes that the cookie might expire before the session expiration.

The PHP sessions have two distinct timeouts:
- cookie expiration - when the browser forgets the cookie containing the session id
- session expiration - when the server forgets the session data

Example:
- The PHP session and cookie life is set to 5 time points
- A user interacts with the site at time points 1, 2 and 4. After each interaction, the expirations are as follows:
timepoint / PHP session expiration / cookie expiration
1 / 6 / 6
2 / 7 / 6
4 / 9 / 6
- If the sure then interacts with the site at time point 7, the cookie is already expired so it will not be sent to the server. As such, the request will behave like the PHP session has expired even the PHP session is technically valid.

To make the PHP sessions useful for this scenario, I suggest that the PHP will send the session cookie on each request so the cookie's expiration time is properly kept up to date.

Expected result:
----------------
The cookie expiration date is kept up to date so it is always cookie_lifetime after the respective session was last accessed.

Actual result:
--------------
The cookie expiration date is frozen on to be a cookie_lifetime after the respective session was created.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-06 15:01 UTC] spam2 at rhsoft dot net
session cookies have no cookie expiration - the definition of a session cookie is that it it has a TLL of 0 which makes it to a session cookie meaning it's gone when you close the browser
 [2018-12-06 15:07 UTC] mumu at seznam dot cz
That's a definition for a 'session cookie' from a browser point of view, not from a PHP point of view.

I would like the PHP session to be kept alive even when the browser is closed and than reopened.

For example, the user logs in into the web site and closes the browser. After the user reopens the browser again soon enough, the user will be still logged into the website.
 [2018-12-06 15:10 UTC] spam2 at rhsoft dot net
then code it yourself with your own cookie as everybody out here does in combination with "remember login" checkboxes  leading to trigger a re-login but don't try to absue SESSION COOKIES for what they are not
 [2018-12-08 07:13 UTC] yohgaki@php.net
-Status: Open +Status: Assigned -Type: Feature/Change Request +Type: Bug -Assigned To: +Assigned To: yohgaki
 [2018-12-08 07:13 UTC] yohgaki@php.net
Although session.c calls php_session_reset_id() within php_session_initialize(), it does not send session cookie header because PS(send_cookie) flag is 0 when session cookie is present.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Dec 11 22:01:26 2018 UTC