Sessions and Cookies
This is an open discussion with 23 replies, filed under General.
Search
-
-
- creativedutchmen
- 17 Aug 10, 7:10 am
- Comment #22
Regenerating session id’s is not really a must anyway.
The only reason to do it is to prevent people to “guess” session id’s. (or to obtain them using a xss hack). If this is the goal, you can’t refresh often enough.
However, there are far better methods of preventing those hacks, although most will ahve other drawbacks.
-
-
- wtdtan
- 17 Aug 10, 2:55 pm
- Comment #23
The cookie expiration date is never updated whether you log in or not. At least that is true on my installation (2.1.0)
@wisolman, so you’re saying that you login once, the cookie is created with a future date of 2 weeks. then you logout, then say a few days later, you log back in and the cookie still has the date set to expire from the previously logged in session?
-
-
- wisolman
- 18 Aug 10, 1:16 am
- Comment #24
@wtdtan - That has been my experience. You can check it out on your installation by looking at the PHPSESSID cookie on your computer. Note the expiration date, perform a logout/login process on your site and then recheck the cookie expiration date. I think you will find that it hasn’t changed.
Create an account or sign in to comment.
Perhaps. But we’re discussing non-essential cookie/session issues here.