How to set php login to expire after 3 days

In modern society, with the rapid development of the Internet, more and more applications require users to log in before they can be used. One of the key issues is how to set the validity period of the login status. If the login status remains valid for a long time, the security risk will be greatly increased; if the login status expires too quickly, it will cause inconvenience to the user. This article will introduce how to set the validity period of the login status to 3 days through PHP to achieve a balance between security and convenience.

Let’s first look at why we need to limit the validity period of login status. Normally, after a user logs into a website or application, a session ID (Session ID) is generated on the server and stored in a cookie on the client. Every time a user sends a request, it will be accompanied by this Session ID. Through this ID, the server can ensure that the request comes from a logged-in user. If no expiration date is set, the login status will remain valid until the user actively logs out or the cookie is cleared. In this way, if someone obtains the user's Cookie through some means, they can use this Cookie to forge a session with the same identity as the user on the server, thereby bypassing the existing authentication mechanism.

In order to solve this problem, we need to limit the validity period of the login status through the program. In this article, we will use PHP's Session mechanism to achieve this goal. PHP's Session mechanism means that PHP will automatically create a Session object on the server and generate a unique Session ID to track the user's session status. Session data is stored on the server, and users need to provide the Session ID when accessing to obtain previously stored data. PHP automatically stores the Session ID in the client's cookie.

To set the validity period of the login status, we can modify the Session expiration time in PHP. By default, PHP's Session expiration time is 24 minutes, that is to say, if the user does not send any request within 24 minutes, the Session will be considered expired. In order to extend the Session expiration time to 3 days, we need to make changes in the PHP configuration file php.ini.

First, we need to find the php.ini file, which is usually located in the \php.ini or \php\php.ini path in the PHP installation directory. After finding the file, add the following code at the end of the file:

session.gc_maxlifetime = 259200
session.cookie_lifetime = 259200

The code means to set the expiration time of the Session to 259200 seconds, which is 3 days. At the same time, the cookie expiration time is also set to 3 days, which ensures that users can remain logged in even after closing the browser and reopening it. After the modification is completed, you need to restart the web server for the configuration to take effect.

In addition to setting the Session expiration time globally in php.ini, we can also set it for a certain Session in the program. The following is an example:

session_start();
$_SESSION['LAST_ACTIVE_TIME'] = time();
if (isset($_SESSION['LAST_ACTIVE_TIME']) && (time() - $_SESSION['LAST_ACTIVE_TIME'] > 259200)) {
    session_unset();
    session_destroy();
}

The above code means that every time the user requests, the current time is saved in a Session variable named LAST_ACTIVE_TIME. If the Session has not had any requests for more than 3 days, the Session will be deleted, so that the user's login status will be cleared.

Finally, let me remind you that although setting the validity period of the login status to 3 days can improve security, you should also be careful not to cause inconvenience to users because the time is too short. Therefore, we need to comprehensively consider user experience and security when writing programs, and adopt appropriate strategies.

The above is the detailed content of How to set php login to expire after 3 days. For more information, please follow other related articles on the PHP Chinese website!