At 10:27 PM 1/31/2002 -0400, Miles Thompson wrote: >>when a user logs in to my site, i load a bunch of stuff about them from a >>database and put it in session variables. right now i have the session >>expiration time set to a pretty large value. >> >>they can come back later in the day and still have all their information >>remembered, or they can hit the logout button to have their session destroyed. > >Jon, > >This I don't understand: "right now i have the session expiration time set >to a pretty large value.". > >I have believed, according to the docs, that when the user closed the >browser the session was GONE. Or do you mean that the session is kept >alive beyond the default period, so that they can leave the page open and >come back a couple of hours later and they are still logged in, so to speak.
check the docs again. the php ini variable session.cookie_lifetime controls whether the session cookie goes poof when the browser closes (as you are assuming) or whether it sticks around. i set mine to a big value, so it lives. the end result for the user is they come back to the site and all their info is remembered. the problem is, what if the user WANTS their info forgotten when they close the browser? personally i use my machine from home exclusively so i want the info to persist, but someone who shares a machine, or logs in from an internet cafe, wouldn't want their info to stick around. a lot of sites have these "remember my login" checkboxes which control whether your info persists. i would really like to give my users a choice. it seems like the ideal way to control that would be to just dynamically set the session.cookie_lifetime value, which is all i have been trying to figure out. i just discovered the session_set_cookie_params function. must investigate.... >You're right about the idea of a cookie. I would guess a one-way >encryption or hash of some combination of time, barometric pressure & info >stored in the database which gets refreshed on each login, set to expire >within a time that will work OK for most users. If they don't come back >within that period they will have to log in again. the problem there is i have to check on every page of the site whether they have the cookie but their session is uninitialized, and if they have the cookie, setup the session (which is a pretty complicated thing). -jsd- -- PHP General Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
