go to bug id or search bugs for
The built-in PHP session logic sents a cookie containing a session id when the session_start() call generates a new session id. The cookie's expiration date is set based on the cookie_lifetime setting.
However, the cookie is not resent on subsequent requests so its expiration date is never updated which causes that the cookie might expire before the session expiration.
The PHP sessions have two distinct timeouts:
- cookie expiration - when the browser forgets the cookie containing the session id
- session expiration - when the server forgets the session data
- The PHP session and cookie life is set to 5 time points
- A user interacts with the site at time points 1, 2 and 4. After each interaction, the expirations are as follows:
timepoint / PHP session expiration / cookie expiration
1 / 6 / 6
2 / 7 / 6
4 / 9 / 6
- If the sure then interacts with the site at time point 7, the cookie is already expired so it will not be sent to the server. As such, the request will behave like the PHP session has expired even the PHP session is technically valid.
To make the PHP sessions useful for this scenario, I suggest that the PHP will send the session cookie on each request so the cookie's expiration time is properly kept up to date.
The cookie expiration date is kept up to date so it is always cookie_lifetime after the respective session was last accessed.
The cookie expiration date is frozen on to be a cookie_lifetime after the respective session was created.
Add a Patch
Add a Pull Request
session cookies have no cookie expiration - the definition of a session cookie is that it it has a TLL of 0 which makes it to a session cookie meaning it's gone when you close the browser
That's a definition for a 'session cookie' from a browser point of view, not from a PHP point of view.
I would like the PHP session to be kept alive even when the browser is closed and than reopened.
For example, the user logs in into the web site and closes the browser. After the user reopens the browser again soon enough, the user will be still logged into the website.
then code it yourself with your own cookie as everybody out here does in combination with "remember login" checkboxes leading to trigger a re-login but don't try to absue SESSION COOKIES for what they are not
Although session.c calls php_session_reset_id() within php_session_initialize(), it does not send session cookie header because PS(send_cookie) flag is 0 when session cookie is present.