First of all, I know this is not possible. I am also not using any of the built-in session functions in PHP; I'm using setcookie() and a database to store session data.
Second, if I set $expire=0 in setcookie(), this will cause the browser to discard the cookie when it is closed. Visiting my site after the fact then means that no cookie will be sent to the server and thus you would not be logged in.
In order to make that work in the database, I have to set the expiration to some arbitrary time in the future. After all, the user could have their browser open for one hour or one day or one week. Let's say I go all out and set the session in the database to expire after one year for good measure. Now the session is good for at least that long, but is their any concern for someone might somehow steal the cookie from some computer and then just re-use it?
Or maybe it doesn't matter at all. After all, if someone can get to the cookie on your computer then you probably have other problems, right?
Just looking for some clarification on whether or not this is the correct and secure way to do things. Thanks!