• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Storing session information in permanent cookie

#11
(06-23-2017, 05:19 AM)CINewb Wrote: No, the session would remain until the session expires, not indefinitely just because the browser is left open.  You could set session expiry time to 20 minutes too if you wanted to.  I am talking about the "session" in PHP rather than the cookie itself.

Server-side session invalidation is a broader topic ... it can expire on the 20th minute (if you're lucky or have a really paranoid setup), it can expire after hours (even if you set the gc_lifetime to 20 mins), or it can expire never under certain circumstances.

Let's not hijack the thread.
Reply

#12
The CI session does or doesn't have en expire time. It depends on the value you supply

PHP Code:
// It will expire after 2 hours of inactivity
$config['sess_expiration'] = 7200;
// It will expire when you close the browser
$config['sess_expiration'] = 0
Reply

#13
(06-23-2017, 05:32 AM)CINewb Wrote: So the CI session does not have an expiry time, like a regular PHP session would via session.gc_maxlifetime ?

It does, but how and when GC is triggered depends on server configuration.

(06-23-2017, 05:42 AM)Martin7483 Wrote: The CI session does or doesn't have en expire time. It depends on the value you supply

PHP Code:
`
// It will expire after 2 hours of inactivity
$config['sess_expiration'] = 7200;
// It will expire when you close the browser
$config['sess_expiration'] = 0; 

sess_expiration plays a role, of course, but it's not as simple as that.

---

Again, this thread is about some auditor saying that cookies with expiry time are a vulnerability (false) ... If you want to argue about how expiry times work, please open a new thread.
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.