I m using login function in my site with session. This session of mine gets expired after few minutes irrespective of that user has logged out or not. Now what i want is that the session should only gets expired when a user logs out.If a user doesnt log out his account and then comes back after 2-3 days even then he should appear logged in.

i have found some examples where they have incresed the time for a session to expire but i want that it should only expire on the log out event by the user irrespective of the time he took to log out.

how can i do that??



is this the write way to do so ?

Accepted Answer

A solution that is often used, in this situation, is to :

  • have a not too long session duration : it will expire if the user is not active (that's just the way it works -- and that's better for your server if you have lots of users)
  • when user logs in, you set a cookie that contains what is needed for him to be recognized
  • if he comes back on the site (with the cookie, and without having an active session), you use the informations contained in that cookie to auto-log him in, re-creating the session at the same time.

This way :

  • you don't have thousands of sessions "active" with no good reason
  • you keep the standard way sessions work

And you have the advantage of "never being looged out", at least from the user's point of view.

Also note that with "normal" sessions, the cookie containing the session id will be deleted when the user closes his browser -- so, he will be disconnected, no matter how long the session's lifetime is.
With the solution I propose, you are the one who sets up how long the cookie should remain on the user's computer ;-)

It means, though, that when a user manually logs-out, you have to delete both his session and the cookie, of course -- so he's not immediatly re-auto-logged-in.

Of course, you have to be careful about what you set in the cookie : a cookie is not quite secure, so don't store a password in it, for instance ;-)

Actually, this way of doing things is how the "remember me" feature often works ; except, here, your users will not have to check a checkbox to activate "remember me" ;-)

If you don't have the time to develop that kind of stuff, a pretty quick and dirty way is to use some Ajax request on all your pages, that will just "ping" a PHP page on the server -- this will keep the session active (but it's not quite a good way of doing things : you'll still have LOTS of sessions on the server, you'll have lots of useless request... and it will only work as long as the user doesn't close his browser).

Written by Pascal MARTIN
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki