Posted by Gordon Burditt on 12/09/05 17:13

>I'm developing a site where I'd like to store information during a users
>visit. So far I've been using sessions, but as far as I can tell it's
>not possible to control for how long a session is valid. It seems that
>these information are valid until the browser closes.

You can put a time stamp *in* the session, and check for how old it
is in subsequent pages. You get to decide whether it's based on time
since the FIRST hit or time since the LAST hit (update timestamp on
every hit). If your objective is a timed-out login, if the time stamp
gets old, redirect them to the login page.

PHP's probabalistic session expiration isn't very good if you
want the session expired ON TIME, EVERY TIME. It's not too bad
if you just want expired sessions to go away eventually so they
don't clutter up your system with too many old files.

>On the other hand it's possible to set expiration time for cookies.

And it's entirely up to the browser to actually expire them.
How many users running browsers have their clock set to the wrong YEAR?
Also, users may be able to edit the expiration time of cookies.

>Does this mean that I have to abanbon $_SESSION altogether and switch to
>$_COOKIE for storing information? Or can/should they be coupled in some way?

I suggest storing your own expiration time into the session.

>In other words: are sessions and cookies conceptually an either-or or
>are they supposed to supplement each other?

Sessions are usually kept using a session cookie but PHP can fall
back to passing the session cookie in the URL (especially if trans_sid
is on). *If* cookies are enabled, you can also use cookies
independently.

Gordon L. Burditt

[Back to original message]