Changing the login expiry in PHP sessions on a per-login basis

Hey,

I'm looking to add a feature to my login system where you can choose to have your login persist over time rather than ending when the browser closes. (A 'Remember me' option, basically). I understand that session.cookie_lifetime in php.ini is where I can set the expiry time for the session cookie. However, this is hardcoded, so how would I go about having a different expiry for each user? Some would need an expiry of zero, others would need a time value.

I can set the expiry time with session_set_cookie_params(), but the PHP manual says that this has to be called before session_start(), and it only persists for that script. So, do I just change the expiry time with that method at login time? Or do I have to do it before every session_start() and use some kind of flag cookie to tell the script what to set the expiry to? I'm getting rather confused. :confused:

Well instead of using a session to keep them logged in, why not set a cookie when the remember me box is checked? Then test to see if the cookie is set, and if it is, extract the username and pw from the cookie and log them in automatically.
Hope this helps,

FuZion

That's an unsecure way to do it. Automatic login isn't too secure in general.

So what is the correct way to do it? Pretty much every site that has login has some kind of 'Remember me' thing. Surely it isn't that arcane to implement.

You usually set a cookie with a sid-like number but which is not any userdata or a session id.

So I have to put in my own session handling system to re-instate the PHP session on each fresh browser instance? That sucks. Is that really the best way?

In any case, what on earth is the point of session_set_cookie_params if it only applies to one script instance and has to be set each time? It's supposed to set the lifetime of the session cookie, right? That does nothing if it only persists for that script... :/