php : save login although browser is closed

Question

how to create a login system that is still logged in (as long as user wouldn't click log out) although browser is closed?

when using $_SESSION , it was gone when browser is closed. So, we can use $_COOKIE, but it looks like less secure then session.

How yahoo, facebook, twitter or any site create their login system, so when user close the browser, it will stay logged in? Using IP? $_SESSION? $_COOKIE? or what?

Thank you

Answer 1

As stated by Oswald, do not use $_SESSION, as this ends when the browser closes.

Session variables are stored as cookies, so creating your own is not less secure.

When creating your own COOKIES, you should set the expiration to be a long time, like a year or so, to ensure that the cookie does not expire, and the user will stayed logged in.

A vast majority of production sites use cookies for session keeping, just make sure that your session keys are random enough that can not be guessed by another client.

EDIT

See this link on how to use setcookie.

setcookie("session_key", "somerandomstringrepresentingasessionkey", time() + 60*60*24*120);

The following will set a session key for your website with the name session_key, this is how you will fetch the data at runtime:

$session = $_COOKIE['session_key'];

The next part is where your value will be stored, this will be the session key that you will store in the database to be fetched and matched with the user, what the value of $session will now be.

The next part is the time until it expires, here i have put 60 * 60 * 24 * 120, meaning that the current time, plus 60 seconds, times 60 minutes, times 24 hours, time 120 days. Meaning that in 120 days from that exact moment in time, that specific cookie will expire, even if the browser is closed before that.

Answer 2

You can set the lifetime of a session cookie. By default it's on browser close. You can do this in php.ini or look at http://php.net/manual/en/function.session-set-cookie-params.php

Answer 3

Encrypt the necessary information in a cookie when a user has logged in. When they visit your site decrypt the cookie to get your information.

Another security measure would be to use a database to validate the cookie. This would help with some security. I am not a security expert and there are other security measures you should probably still think about, but this should help you get started.

Answer 4

Make sure that you do not use a session cookie to identifiy sessions. For that, use session_set_cookie_params() to give the cookie a longer lifetime.

Make sure that sessions have a long timeout. This can be done by adjusting the value of the session.gc-maxlifetime configuration option.

Answer 5

It looks like StackOverflow and Youtube use Local Storage.

Unlike cookies, the local storage has no expiration date, but when the user logs on or does something that changes something on the server, you will need to manually send the data in the local storage to the server to verify(via XHR or some other way of communicating). When the user logs out, call window.localStorage.removeItem() with the key you save the login information under.