15

I'm having trouble setting the cookie lifetime in my D8 instance. I'd like to set it to zero so that closing the browser logs-off the user.

I've added ini_set('session.cookie_lifetime', 0); to the site/default/settings.php file. There was no previous cookie_lifetime reference in the file. I added the line. I've also cleared the Drupal cache and cleared my Chrome cache. Sadly, it's not being respected. Sessions still persist after browser close.

I've searched the entire codebase for ini_set('session.cookie_lifetime', 200000); but it doesn't appear to exist in my site. I don't see where Drupal is setting the cookie lifetime. I've also tried adding the setting via a php.ini file in the root but that's being over-ruled by Drupal.

I feel like this is a simple thing, so I'd like to avoid plugins. Looking forward to hearing from everyone. Thanks in advance.

Improve this question
1
  • I you set the cookie lifetime to 0 in Drupal's settings, Drupal should set it as a session cookie, which used to mean that browsers would remove the cookie when the user closed their browser. That's not the case anymore as many browsers have a "continue" feature which restores all session cookies. Commented Mar 8, 2021 at 19:04

1 Answer 1

Reset to default
28

For the session cookie options D8 uses container parameters instead of settings. Create a services.yml file in the same folder as settings.php. The default values are in default.services.yml. You can copy this file to services.yml and modify it:

/sites/default/services.yml:

parameters: session.storage.options: # Default ini options for sessions. # # Some distributions of Linux (most notably Debian) ship their PHP # installations with garbage collection (gc) disabled. Since Drupal depends # on PHP's garbage collection for clearing sessions, ensure that garbage # collection occurs by using the most common settings. # @default 1 gc_probability: 1 # @default 100 gc_divisor: 100 # # Set session lifetime (in seconds), i.e. the time from the user's last # visit to the active session may be deleted by the session garbage # collector. When a session is deleted, authenticated users are logged out, # and the contents of the user's $_SESSION variable is discarded. # @default 200000 gc_maxlifetime: 200000 # # Set session cookie lifetime (in seconds), i.e. the time from the session # is created to the cookie expires, i.e. when the browser is expected to # discard the cookie. The value 0 means "until the browser is closed". # @default 2000000 cookie_lifetime: 2000000
Improve this answer
5
  • 4k4, thanks very much. This is the solution we finally landed on. Commented Sep 27, 2016 at 18:37
  • Hi, maybe you know any way to do it dynamically? Commented Apr 23, 2019 at 8:58
  • 2
    @АртемИльин, you can't, the cookie options are compiled statically into the container. You can however swap the service session_configuration and override __construct or getOptions of Drupal\Core\Session\SessionConfiguration. Commented Apr 23, 2019 at 9:58
  • Link to the follow up question drupal.stackexchange.com/questions/279292/… Commented Jun 13, 2019 at 16:50
  • How do I test and verify these changes? Commented Nov 25, 2022 at 7:00

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.