I'm trying to understand when a PHP session will timeout and force the user to log back in again.
When the user first logs in to the site successfully I'm setting a session global like this:
$_SESSION['AcmeAuthenticated'] = TRUE;
On every other page I check at the top of the page for this:
if (!isset($_SESSION['AcmeAuthenticated']) and $_SESSION['AcmeAuthenticated'] !== TRUE) {
header('Location: index.php');
die;
}
I've noticed during development that I can keep my browser open all day and it won't ask me to login again. If I quit the browser then it will prompt me to login again. I checked the PHP info and session.gc_maxlifetime is set to 900 - I took that to mean that the PHP session would end in 15 minutes?
I'm new to PHP so still trying to learn how sessions work and when the timeout comes into effect.
When you exit your browser, it will clear all SESSIONS. That is why you always have to relogin every time you exit your browser. However, yes, you can set how long you want the SESSION to last for. It shows you how here: How do I expire a PHP session after 30 minutes?
if statement should be:
if(!isset($_SESSION['AcmeAuthenticated']) && $_SESSION['AcmeAuthenticated'] !== true)
{
header('Location: index.php');
die;
}
you should need to use && instead of and. feel free to use session_set_cookie_params() to manipulate the session cookie params, but it sounds like your cookie is a 'session' cookie; that would be why it disappears after browser close.
PHP sessions end when the browser window is closed [1].
Yeah, session.gc_maxlifetime is set in seconds, so 900 is 15 minutes. You probably want to bump that up to about 30,000 (about 8 hours).