I’m setting up a website, and I’d rather not put cookies on people’s computers. Is it bad practice – or worse- insanely insecure to extend the sessions max timeout to a day or two days?
session_regenerate_id();
$profileid = $userdata['userid'];
$profile = $userdata['username'];
//Set session
$_SESSION['profileid'] = $profileid;
//Put name in session
$_SESSION['profile'] = $profile;
$_SESSION['loggedin'] = true;
Edit: Added code.
Edit: the php.ini line that I would modify is:
session.gc_maxlifetime = 1440
session.gc_maxlifetime
This value (default 1440 seconds or [24 Minutes]) defines how long an unused PHP session will be kept alive.
For example: A user logs in, browses through your application or web site, for hours, for days. No problem. As long as the time between his clicks never exceed 1440 seconds. It’s a timeout value,
PHP’s session garbage collector runs with a probability defined by session.gc_probability divided by session.gc_divisor. By default this is 1/100, which means that above timeout value is checked with a probability of 1 in 100.
So increasing this value will most likely not have much effect on your script unless you expect your users not to click around your site. Like in the case of a logged in user watching a long video and then after watching find themselves logged out afterwards. If this is the case perhaps you should use a some javascript to poll the server every 20mins to keep the session open.