Do you know the difference between the PHP config directives session.gc_maxlifetime and session.cookie_lifetime? Have you wrestled with implementing a “Remember Me” button on your login page? Learn how popular sites, such as Twitter and Facebook, keep you logged in (apparently) forever and the security risks of such methods.
http://github.com/hellogerard/tek11
13. Specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means “until the browser is closed.” Defaults to 0. Authentication 2. session.cookie_lifetime
14. Specifies the number of seconds after which data will be seen as ‘garbage’ and potentially cleaned up. Garbage collection may occur during session start. Defaults to 1440 seconds. Authentication 2. session.gc_maxlifetime
25. Keep Me Logged In 3. 1. initial login 4. store auth token in ‘my_auth’ cookie 3. store user’s unique auth token in DB 2. create new auth token for user
26. Keep Me Logged In 3. 1. read auth token from ‘my_auth’cookie 2. lookup auth token in DB 4. Store new session ID and auth token in cookies 3. if valid token, log user in