session_set_cookie_params

(PHP 4, PHP 5)

session_set_cookie_params --  Set the session cookie parameters

Description

void session_set_cookie_params ( int lifetime [, string path [, string domain [, bool secure]]] )

Set cookie parameters defined in the php.ini file. The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called.

注: The secure parameter was added in PHP 4.0.4.

See also the configuration directives session.cookie_lifetime, session.cookie_path, session.cookie_domain, session.cookie_secure, and session_get_cookie_params().


add a note add a note User Contributed Notes
stalker at ruun dot de
08-Jul-2005 06:11
to oracel,

sure the cookie-lifetime does not work when you use time()+..., because the expire-date will be calculated out of time() and the value you used for lifetime automatically when you use session_start().

grz,
Stalker
oracel at start dot no
29-May-2005 02:58
This seems to work only if you specify a lifetime within a certain limit. I spent a while debugging this since it didn't send a proper expiration time when I used time() + 60 * 60 * 24 * 365. However if you omit time() it works perfectly.
jordi at jcanals dot net
15-Nov-2004 09:39
Something that has taken me some time to debug: session_set_cookie_params() does not work when the domain param is just a one level domain, like it was a TLD.

I have a site in an intranet and our internal domain is .local, so trying to set the cookie session to the .local domain does not work:

session_set_cookie_params(0, '/', '.local'); // Does not work

In all test I've done, setting the domain only works for SLDs and above:

session_set_cookie_params(0 , '/', '.sld.local'); Does work

This is nothing to do with PHP but the http protocol, witch does not permit setting cookies for TLDs for obvious security reasons.
treeml at itree dot org
13-Aug-2003 06:13
If the server time is not properly set, e.g(it is behind the client time).    Excution of the following code

session_set_cookie_params(2000);
session_start();

will NOT set/send cookie to  Internet Explorer 6.0,

even though it will set the cookie on Mozilla/Firebird browser.  But the cookie will get set without the session_set_cookie_params();

Same holds true for following code,

$expiry = 60*30;
session_start();
setcookie(session_name(),session_id(), time()+$expiry, "/");
 

For some reason IE is really sensitive to cookie times. It won't even accept the cookie!!
 This took me quite a while to figureout, for I thoguht it was an IE cookie security issue.
Kato
05-Jan-2003 04:54
Cookies can be set with a long notation expiry time...

Thus, you can use:

"Sat Jan  4 11:55:15 MST 2003"

This has helped me in the past to deal with the clients computer differing in time... since their browser will adjust accordingly.
mail at paul-roberts dot com
22-Dec-2002 10:08
if you want/expect the session to last as long as your cookie then also see
http://www.php.net/manual/sv/function.session-cache-expire.php
shrockc at inhsNO dot SPAMorg
19-Jun-2002 12:19
when setting the path that the cookie is valid for, always remember to have that trailing '/'.

CORRECT:
session_set_cookie_params (0, '/yourpath/');

INCORRECT:
session_set_cookie_params (0, '/yourpath');

no comment on how long it took me to realize that this was the cause of my authentication/session problems...
gavin_spam at skypaint dot com
27-Feb-2002 06:58
The first argument to session_set_cookie_params is the number of seconds in the future (based on the server's current time) that the session will expire.  So if you want your sessions to last 100 days:

$expireTime = 60*60*24*100; // 100 days
session_set_cookie_params($expireTime);

I was using time()+$expireTime, which is WRONG (a lot of the session_set_cookie_params() examples I found get this wrong, but probably don't care because they are just doing "infinite" sessions).
php at mike2k dot com
09-May-2001 05:16
[Editor's Note:

Rasmus' Solution from the PHP-General list:

Just use a session cookie (by not providing an expiry time) and add the
server's expiry timestamp to the value of the cookie.  Then when you get
that cookie sent to you, check it against your server's time and make the
decision on whether to accept the cookie or not based on that.

That way you are immune from people not having their system clocks set
right.

-Rasmus

--zak@php.net]

A couple things I noticed when using this. I think it only works if you set the session_set_cookie_params() function BEFORE the session_start() function.

Also, when you set the "lifetime" on the cookie, it takes the seconds offset from the SERVER. it sends the cookie encoded to timeout at the SERVER time. So if your server is +2 minutes ahead of the client, and you set the cookie to timeout after 30 seconds, the client actually has 2 minutes and 30 seconds before the cookie times out. I don't know if there's any way that this can be patched in future versions, and the only alternative I think is setting cookies in javascript, which is hardly the point when using all these specific session functions.