View Full Version : Increase session lifetime

08-01-2012, 12:06 PM
Hello. I'm using a web hosting service from 000 web host.

There is an .htaccess file in my public folder which I've amended to:

# Do not remove this line, otherwise mod_rewrite rules will stop working
RewriteBase /

php_value session.cookie_lifetime 86400
php_value session.gc_maxlifetime 86400

in an attempt to increase the lifetime of the session cookie to 24 hours.

It seems to be ignoring this setting and the session expires when closing the browser. How can I correct this please? Are there other settings that I need?


08-01-2012, 01:29 PM
session is just that, Session.

when you close the browser the session is over, you will need to use cookies instead

08-01-2012, 01:32 PM
$value = 'something from somewhere';

setcookie("TestCookie", $value);
setcookie("TestCookie", $value, time()+3600); /* expire in 1 hour */
setcookie("TestCookie", $value, time()+3600, "/~rasmus/", "example.com", 1);

// Print an individual cookie
echo $_COOKIE["TestCookie"];
echo $HTTP_COOKIE_VARS["TestCookie"];

// Another way to debug/test is to view all cookies

08-01-2012, 01:53 PM
Thank you. I've obviously misunderstood, particularly as the session data appeared to persist when testing locally.

I'll need to store something in a cookie to keep the user logged-in, but I don't want to store their username or password directly. How do sites generally encode/hash these details?

08-01-2012, 02:26 PM
you would store the password in the database as a hash eg, md5 or sha1

something like:

//create new user
$username = mysql_real_escape_string($_POST['Username']);
$password = mysql_real_escape_string(md5($_POST['Password']));

$query = query("INSERT INTO users (Username, Password) VALUES ($username,$password)");


$username = mysql_real_escape_string($_POST['Username']);
$password = mysql_real_escape_string(md5($_POST['Password']));

$query = query("SELECT * FROM users WHERE `Username` = $username HAVING `Password` = $password");
if (mysql_num_rows($query) == 1) {
setcookie("online", "true" , time()+3600);

08-01-2012, 02:30 PM
Generate a random string/hash and associate it with a user ID in your database, save that as your cookie. You don't want to save any identifiable information in the cookie what so ever that can be spoofed.

You could also do things like store the browser and version used and invalidate the cookie/session if this changes if you want to add extra layers of security. It can't be relied on but it's an indicator that someone has stolen the cookie.

08-01-2012, 02:31 PM
i have a function for login if your interested:

function ProcessLogin($Username, $Password) {
if (($Username == "") || (!isset($Username))) {
return "No username was supplied.";
} else {$Username = strip_tags($Username);}
if (($Password == "") || (!isset($Password))) {
return "No password was supplied.";
} else {$Password = md5(strip_tags($Password));}
$results = Q("SELECT * FROM `user__users` WHERE `UserCode` = '$Username'");

// If that Username dosnt exsist
if (mysql_num_rows($results) == 0) {
return "Unknown User";
// Give them 3 chances. It says 2 below because we need to concider 0!
// Otherwise see how many Strikes are next to the Username
$row = mysql_fetch_array($results);
if ($row['UserStrikes'] >= 2) {
return "You have reached the maximum amount of failed login attempts. Please contact an administrator.";

// If there are less than 3 then see if the passwords match
if ($Password != $row['UserPass']) {
// Complete the query
$results = Q("UPDATE `user__users` SET `UserStrikes` = '".($row['UserStrikes'] + 1)."' WHERE `user__users`.`UserID` = " . $row['UserID']);
if ((2 - ($row['UserStrikes'])) != 1) {
return "Your Password is incorrect. Please try again. You have ". (2 - $row['UserStrikes']) ." attempts to login.";
} else {
return "Your Password is incorrect. Please try again. You have ". (2 - $row['UserStrikes']) ." more attempt to login.";
// If the Strikes is more than 0 then reset them to 0
if ($row['UserStrikes'] > 0) {
//Complete the query
$results = Q("UPDATE `user__users` SET `UserStrikes` = '0' WHERE `user__users`.`UserID` = " . $row['UserID']);

// Put the details in the session
$results = Q("UPDATE `user__users` SET UserIP = '".$_SERVER['REMOTE_ADDR']."' WHERE `UserID` = " . $row['UserID']);
$_SESSION['Username'] = $Username;
$_SESSION['UserID'] = $row['UserID'];
$_SESSION['name'] = $row['UserName'];
$_SESSION['access_level'] = $row['UserLevel'];
$_SESSION['logged_in'] = true;

return "Logged in";

then have your login form point to something like:

$LoginResult = ProcessLogin($_POST['Username'], $_POST['Password']);

08-01-2012, 03:33 PM
Thank you both. I have a bit of study to do :thumbsup:

08-02-2012, 02:13 AM
I'm almost there :thumbsup: but need a little guidance with the following.

I think there is a conflict between the way my variable identifier is being stored and retrieved:

// storage
$identifier = md5($salt . md5($username . $salt));
setcookie('auth', "$identifier:$token", $timeout);
$q = "UPDATE users SET identifier='$identifier', token='$token', " .
"timeout=$timeout WHERE user_id=$uid LIMIT 1";

// retrieval
list($identifier, $token) = explode(':', $_COOKIE['auth']);
$clean['identifier'] = $identifier;
$mysql['identifier'] = mysqli_real_escape_string($dbc, $clean['identifier']);
$sql = "SELECT username, email, token, timeout FROM users WHERE " .
"identifier = '{$mysql['identifier']}'";

if ($clean['identifier'] != md5($salt . md5($record['username'] . $salt))) {

[I've extracted just the relevant code for the moment.]

I believe I need to modify the second sql statement..? Andy.

08-02-2012, 02:19 AM
Scrub that - found it!