CodeIgniter Forums
Storing session information in permanent cookie - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Using CodeIgniter (https://forum.codeigniter.com/forum-5.html)
+--- Forum: General Help (https://forum.codeigniter.com/forum-24.html)
+--- Thread: Storing session information in permanent cookie (/thread-68316.html)

Pages: 1 2


RE: Storing session information in permanent cookie - Narf - 06-23-2017

(06-23-2017, 05:19 AM)CINewb Wrote: No, the session would remain until the session expires, not indefinitely just because the browser is left open.  You could set session expiry time to 20 minutes too if you wanted to.  I am talking about the "session" in PHP rather than the cookie itself.

Server-side session invalidation is a broader topic ... it can expire on the 20th minute (if you're lucky or have a really paranoid setup), it can expire after hours (even if you set the gc_lifetime to 20 mins), or it can expire never under certain circumstances.

Let's not hijack the thread.


RE: Storing session information in permanent cookie - Martin7483 - 06-23-2017

The CI session does or doesn't have en expire time. It depends on the value you supply

PHP Code:
// It will expire after 2 hours of inactivity
$config['sess_expiration'] = 7200;
// It will expire when you close the browser
$config['sess_expiration'] = 0



RE: Storing session information in permanent cookie - Narf - 06-23-2017

(06-23-2017, 05:32 AM)CINewb Wrote: So the CI session does not have an expiry time, like a regular PHP session would via session.gc_maxlifetime ?

It does, but how and when GC is triggered depends on server configuration.

(06-23-2017, 05:42 AM)Martin7483 Wrote: The CI session does or doesn't have en expire time. It depends on the value you supply

PHP Code:
`
// It will expire after 2 hours of inactivity
$config['sess_expiration'] = 7200;
// It will expire when you close the browser
$config['sess_expiration'] = 0; 

sess_expiration plays a role, of course, but it's not as simple as that.

---

Again, this thread is about some auditor saying that cookies with expiry time are a vulnerability (false) ... If you want to argue about how expiry times work, please open a new thread.