On Saturday, February 16, 2002, at 07:43  AM, Nigel Gilbert wrote:

> By default, a session (created with session_register) seems to last 
> just as long as the user has their browser open.  If a user quits the 
> browser, the session is automatically destroyed.
> I want a session to last indefinitely (or until my program destroys 
> it).  There are some hints about how this could be done with cookies in 
> the documentation, but not a clear recipe.  What sequence of PHP 
> statements should I use to achieve this?

I don't have the answer you're looking for (maybe it's a php.ini 
setting), but I suspect that it might be a dangerous idea.  The longer a 
session ID is hanging about, the easier it is for a cracker to hijack it 
and use it for evil intent.

Remember, every time a page is requested within any given session, 
either a cookie variable or a GET variable is being sent along with the 
HTTP headers.  Keeping a session going for more time than needed means 
that the variable representing the session ID is leaving footprints all 
over the place.

Erik <-- who has become overcautious lately upon learning how HTTP works


Erik Price
Web Developer Temp
Media Lab, H.H. Brown

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to