Hello! I had a problem: my session is closed after closing the browser. Why?. If I close the tab with the page where the session is set, the session does not end, but if I close the browser and re-enter that page, my session will close.

index.php

<?php session_start(); require_once 'includes/config.php'; ?> <!DOCTYPE html> <html lang="ru"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta http-equiv="X-UA-Compatible" content="ie=edge"> <title><?php echo $config['title']; ?></title> <link rel="stylesheet" href="css/style.css"> </head> <body> <?php require_once 'includes/connection.php'; require_once 'includes/header.php'; ?> <section> <div class="container"> <?php require_once 'includes/slider.php'; ?> <br /> <br /> <div class="slider__films"> <input checked type="radio" name="respond" id="main"> <article id="slider__films"> <input checked type="radio" name="respond__slide" id="film__switch1"> <input type="radio" name="respond__slide" id="film__switch2"> <input type="radio" name="respond__slide" id="film__switch3"> <input type="radio" name="respond__slide" id="film__switch4"> <input type="radio" name="respond__slide" id="film__switch5"> <div id="films__slides"> <div id="films__overflow"> <div class="films__image"> <article class="article"> <div style="display: contents;"> <?php $db = new DB(); $db->requestPrepareFetchAll("SELECT film_name, film_small_img FROM new_film"); ?> <?php foreach ($stmt as $row): ?> <a href="films/<?php echo $row['film_name']; ?>.php"> <img src="<?php echo $row['film_small_img']; ?>" alt="" style="width: 100px;"> <p><?php echo $row['film_name']; ?></p> </a> <?php endforeach; ?> </div> </article> </div> </div> </div> <div id="films__controls"> <label for="film__switch1"></label> <label for="film__switch2"></label> <label for="film__switch3"></label> <label for="film__switch4"></label> <label for="film__switch5"></label> </div> <div id="films__active"> <label for="film__switch1"></label> <label for="film__switch2"></label> <label for="film__switch3"></label> <label for="film__switch4"></label> <label for="film__switch5"></label> </div> </article> </div> </div> </section> <script src="js/functions.js"></script> </body> </html>

header.php

 <?php require_once "config.php"; ?> <header> <div class="headerflex"> <a href="../index.php" class="logo"><?php echo $config['title']; ?></a> <div class="opencategory"> <img src="../img/movie-clapper-open.svg" alt="" class="menuimg" onclick="openMenu()"> <img src="../img/cancel-cross.svg" alt="" class="cancelcross" onclick="closeMenu()"> <a href="#" class="category">ΠšΠ°Ρ‚Π΅Π³ΠΎΡ€ΠΈΠΈ ΠΊΠΈΠ½ΠΎ</a> <ul class="headercategory"> <li> <a href="#">Π€ΠΈΠ»ΡŒΠΌΡ‹</a> </li> <li> <a href="#">Π‘Π΅Ρ€ΠΈΠ°Π»Ρ‹</a> </li> <li> <a href="#">АнимС</a> </li> <li> <a href="#">КомСдии</a> </li> <li> <a href="#">Π‘ΠΎΡ‘Π²ΠΈΠΊΠΈ</a> </li> </ul> </div> <a href="#"><img src="../img/search.svg" class="searchimg" onclick="openSearchInput()"></a> <input type="search" class="search" placeholder="Поиск ΠΏΠΎ сайту"> <?php if (isset($_SESSION['user'])): ?> <a href="../includes/admin.php"><img src="../img/avatar.svg" class="avatar"></a> <?php else: ?> <a href="../includes/signin.php" class="acclink">Π’ΠΎΠΉΡ‚ΠΈ</a> <a href="../includes/signup.php" class="acclink">Π—Π°Ρ€Π΅Π³ΠΈΡΡ‚Ρ€ΠΈΡ€ΠΎΠ²Π°Ρ‚ΡŒΡΡ</a> <?php endif; ?> <a href="#"><img src="../img/telegram.svg" alt="" class="telegram"></a> </div> </header>

So the code is ironed during authorization enter image description here

So the code is ironed out during authorization but after rebooting the browser enter image description here

In php.ini

 session.cookie_lifetime = 2678400 session.gc_maxlifetime = 2678400

What to do?

  • 2
    In my opinion this is the standard behavior. Do you want to store information longer, save it in cookies - ArchDemon
  • Cooks are not safe - meln1337
  • We have to sacrifice something - ArchDemon
  • One option is to look at how authorization is done in popular frameworks (laravel, yii, etc.). - Alexxosipov
  • Judging by the documentation, the installation of these options in php.ini should make the session time-dependent, but not based on the closure of the browser. The feeling that your script settings are not taken from the php.ini that you rule. Check in the browser the lifetime of the session cookie (in chrome: developer mode -> application -> cookies) - Mike

2 answers 2

If anything, sessions also work through cookies, making cookies safe is nothing complicated.

For example, the user has logged in, you write his data to the session and generate a key, write this key in the database and the data that we have in the session (usually these are some anchors, such as the user's ID and so that it can be downloaded later). Cooks store this key (generated).

The user closed the browser, went to the site: the session got lost, but there is a cookie with a key. With this key you make a request to the database to receive data with verification. If the SP, the agent and other parameters are the same, then the key is considered valid and write the working data back to the session (this approach allows us not to make requests to the database every time).

If the check fails, remove the cookie from the agent and from the database (for security) ...

    Sessions cease to exist after the browser is closed, therefore the information is stored in cookies. You can write the login to the cookie with successful authorization and wield it. If you are concerned about security, then in this case you need to do a few checks. In case you only want to use sessions, then session_cache_limiter, session_cache_expire (and session.gc_maxlifetime in .htaccess) will help you.