Question : PHP Sessions

I've read over PHP sessions for hours and the logic doesn't make sense to me.  It makes me just want to use the tried-and-true cookie solution but sessions seem a little more secure so I don't want to give up yet.

After a user logs in to my website, I simply want to record a PHP session that will persist for no more than 2 hours, or 30 minutes of inactivity on the website, whichever comes first.

Seems simple enough.  But I get confused with sessions because there are multiple variables that could be set.

For example, what's the difference between session_get_cookie_params()  and session.cookie_lifetime?  And what about session.gc_maxlifetime which, I understand, keeps track of a session's life before it's automatically trashed? What if I set the cookie to expire in 2 hours but the session.gc_maxlifetime is equal to 1440 (24 minutes)?  Is my session even going to live long enough?

I've also read that it's best to just keep the default PHP session settings (i.e. session.gc_maxlifetime=1440) and just set my own 'timestamp' session value that I can use to compare when the user entered the website or last clicked on something.

Ugh, can someone help unravel this mystery with sessions and cookies?

And please don't refer me to the session guide on the PHP website because I've been all over it already.

Thank you!

Answer : PHP Sessions

Here's a "clunky" answer.  Look over my article here.
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

In practical terms, your session is going to live long enough for everything your client might want to do, unless what the client wants to do is login to the site, then abandon the computer and go to the opera, then come back and expect to still be logged in.  That will not work.

Every new page load to the same web site (with some important limitations) effectively resets the cookie expiration time by extending it into the future.  The default extension is about 24 minutes.

Cookies and browsers have unique interactions.  Consider this: All instance of Firefox (windows, tabs, viewports) share the same cookie jar.  You can have two browser windows logged in to the same web site.  Very confusing to developers, but rare in practice.  Window #1 sets a cookie, window #2 resets it and extends its time.  The behavior is predictable, but impatient developers rarely think through what is happening to the cookies.  Firefox gives you a good way to visualize the cookies - use it.

Now to the issues you identify.  You want to stop a session after two hours (of activity?) or 30 minutes of inactivity.  It doesn't work like that.  Unless you go to the trouble to understand sessions in detail and perhaps write your own session handlers, your sessions will expire after 24 minutes of inactivity.  The part about two hours is not applicable - each new use of a web page that contains session_start() will throw the timeout another 24 minutes into the future.  Garbage collection is imprecise, but the cookie expiration is fairly dependable.

As to this,"don't refer me to the session guide on the PHP website" -- sorry, but it is the definitive man page reference.  You need to understand it, and if you don't please post back here with specific questions.