setting session.cookie_lifetime to non-zero value leads to
session invalidation in that time, even if the session is
active and the user is still working with it.
Your change affected the code path of standard session
cookies which don't have an explicit expiry date. There is
no point in sending session cookies (=expiring when browser
is closed) on every request.
The proper way to handle explicit session expiry dates is the
following: Encode the timestamp of the expiry date as part of
the cookie. Check for a certain criteria upon each request.
If that criteria is met, update the cookie on the client
side. Common criterias:
- one hour/day/week to expiration
- half the lifetime of the cookie has passed
Using no criteria at all is not a suitable way to deal with
users from my POV.
- Sascha
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
