|
|
|
|
Bookmark this on Delicious
Share on Facebook
 Slashdot It!
Digg  session_set_cookie_params
Set the session cookie parameters
(PHP 4, PHP 5)
Code Examples / Notes » session_set_cookie_paramsphp
[Editor's Note: Rasmus' Solution from the PHP-General list: Just use a session cookie (by not providing an expiry time) and add the server's expiry timestamp to the value of the cookie. Then when you get that cookie sent to you, check it against your server's time and make the decision on whether to accept the cookie or not based on that. That way you are immune from people not having their system clocks set right. -Rasmus --zak@php.net] A couple things I noticed when using this. I think it only works if you set the session_set_cookie_params() function BEFORE the session_start() function. Also, when you set the "lifetime" on the cookie, it takes the seconds offset from the SERVER. it sends the cookie encoded to timeout at the SERVER time. So if your server is +2 minutes ahead of the client, and you set the cookie to timeout after 30 seconds, the client actually has 2 minutes and 30 seconds before the cookie times out. I don't know if there's any way that this can be patched in future versions, and the only alternative I think is setting cookies in javascript, which is hardly the point when using all these specific session functions. shrockc
when setting the path that the cookie is valid for, always remember to have that trailing '/'. CORRECT: session_set_cookie_params (0, '/yourpath/'); INCORRECT: session_set_cookie_params (0, '/yourpath'); no comment on how long it took me to realize that this was the cause of my authentication/session problems... maxthedragon
This article states that one must define the lifetime of the cookie using session_set_cookie_params(), before calling session_start(). This is correct. However, suppose you would need to change the session cookie lifetime, during the session. You would have to delete the session in order to pass the correct lifetime. If however, the session contains important data, you might not want to delete the session. This seems to be a problem, since the session already exists. The following code: <?php setcookie(session_name(), $_COOKIE[session_name()], time()+10000, "/"); ?> allows you to change the cookie lifetime, during the session, and without the need to delete the session. Basically it grabs the existing cookie, and just updates the lifetime, leaving the data intact. <?php setcookie(session_name(), $_COOKIE[session_name()], 0, "/"); ?> Similarly, the above code allows you to turn the existing session, into one that is destroyed, when the browser screen closes. Please note that this is not a replacement of session_set_cookie_params! You must still call that function before the session start to set a lifetime for the cookie. If somewhere after the session_start(), you need to change the lifetime, use the code supplied above, and also make sure that the new lifetime gets included in the next calls of session_set_cookie_params(). This ensures that the cookie will work properly with the new lifetime, even after page browsing/refreshes. I have tested this, and it seems to work properly. gavin_spam
The first argument to session_set_cookie_params is the number of seconds in the future (based on the server's current time) that the session will expire. So if you want your sessions to last 100 days: $expireTime = 60*60*24*100; // 100 days session_set_cookie_params($expireTime); I was using time()+$expireTime, which is WRONG (a lot of the session_set_cookie_params() examples I found get this wrong, but probably don't care because they are just doing "infinite" sessions). dan
The below note is an excellent example of how to 'reset' the session expiration time upon a page refresh. However, take care to compensate for when the session expires and doesn't renew itself (a bug I believe). If the below example is run every time a script is executed, it will give an 'Undefined index <session name> error' after the session fails to renew. Precede it with and if isset() condition. <?php private function startSession($time = 3600, $ses = 'MYSES') { session_set_cookie_params($time); session_name($ses); session_start(); // Reset the expiration time upon page load if (isset($_COOKIE[$ses])) setcookie($ses, $_COOKIE[$ses], time() + $time, "/"); } ?> The above example states that a session will last an hour without a page refresh until it is scrapped. Upon a page refresh, the expiration time is reset back to one hour again. If you wish to give users the option of 'staying logged in forever', just feed startSession a value of '99999999', which should last about 3 years. jordi
Something that has taken me some time to debug: session_set_cookie_params() does not work when the domain param is just a one level domain, like it was a TLD. I have a site in an intranet and our internal domain is .local, so trying to set the cookie session to the .local domain does not work: session_set_cookie_params(0, '/', '.local'); // Does not work In all test I've done, setting the domain only works for SLDs and above: session_set_cookie_params(0 , '/', '.sld.local'); Does work This is nothing to do with PHP but the http protocol, witch does not permit setting cookies for TLDs for obvious security reasons. |
Change Language
session_cache_expire session_cache_limiter session_commit session_decode session_destroy session_encode session_get_cookie_params session_id session_is_registered session_module_name session_name session_regenerate_id session_register session_save_path session_set_cookie_params session_set_save_handler session_start session_unregister session_unset session_write_close |
