I am working on my sites "remember me" functionality and I am using session_set_cookie_params to keep a session alive even if the user decides to close his or her browser. The problem I have been running into is the browser deletes the cookies even if I set them to be persistent, this only happens when I set the HttpOnly flag on the cookie to true.
Here's some pseucode for what I have in place:
set cookie lifetime for php ini
set garbage collector max lifetime for php ini
determine if the user wants a persistent session or not
set the sessions cookies' time and make sure it's using HttpOnly
start the session
Here is what I currently understand about the function being used, let me know if I am wrong about anything:
- When using session_set_cookie_params set the time to 0 if you want the session to be deleted when the browser is closed.
- Set the time to anything above zero and the session cookie will stay alive for that amount of time.
- Set HttpOnly to true if you don't want the cookie to be accessible via javascript
In this case I definitely do not want the cookies to be accessible via javascript. Did I do anything wrong?
Also let me know if I should add more information, this is my first time asking a question. Thank you.
