How to keep a user session active even after closing the browser or returning after being idle in PHP for a while?

Question

In my code I can select "Remember me", when selected it saves the value of email and password in a cookie and the cookie lasts for 1 month, now when the user enters the page again, Instead of keeping the session active, it gets the value from the saved cookie and displays it on the login form. I'm currently using cloudflare and hosting and I've tried setting up these lines of code:

php_value session.cookie_lifetime 2629800;
php_value session.gc_maxlifetime 2629800;

Both are in php.ini and .htacces, but the result is the same (the session will be closed when the user closes the browser).

This is the loginUser function, it handles the login and creates the cookie when the user checks "Remember Me", what I want is, by checking "Remind Me", even if the user closes the browser or comes back after some time, The session remains active for the inactivity time, but the session duration is 1 month (2629800 seconds).

function loginUser($email, $password, $rememberme)
{
    $mysqli = connect();
    $email = trim($email);
    $password = trim($password);
    
    if ($email == "" || $password == "") {
        return 'Both fields are required';
    }

    $email = filter_var($email, FILTER_SANITIZE_EMAIL);
    $password = filter_var($password, FILTER_SANITIZE_SPECIAL_CHARS);
    
    $sql = "SELECT * FROM users WHERE email = ? LIMIT 1";
    $stmt = $mysqli->prepare($sql);
    $stmt->bind_param("s", $email);
    $stmt->execute();
    $result = $stmt->get_result();
    $data = $result->fetch_assoc();

    if ($data == NULL) {
        return 'The email does not exist, sign up to enter';
    }

    if (password_verify($password, $data["password"]) == FALSE) {
        return 'The password is incorrect, please check and try again';
    } else {
        $user_id = $data['user_id'];
        $_SESSION['auth_user_id'] = $user_id;
        $_SESSION["user"] = $email;
        $_SESSION["pass"] = $password;
        $_SESSION["username"] = $data['username'];
        $_SESSION["verify"] = $data['verify'];
        $_SESSION["profile"] = $data['profileImage'];
        $_SESSION["id"] = $data['user_id'];
        $_SESSION["vip"] = $data['vip'];

        setcookie('user_id', $data['user_id'], time() 60 * 60 * 24 * 30, '/');

        if ($rememberme) {
            $cookie_name = 'Remember_US';
            $cookie_value = json_encode(array('lemail' => $email, 'lpassword' => $password));
            $cookie_expire = time() (60 * 60 * 24 * 30);
            setcookie($cookie_name, encrypt($cookie_value), $cookie_expire, '/', null, true, true);
        }
        header("location: index.php");
        exit();
    }
}

PS: I know this is a duplicate, but none of the questions above solved my problem.

I mention again that I tried setting these lines in htaccess and php.ini with no success:

php_value session.cookie_lifetime 2629800;
php_value session.gc_maxlifetime 2629800;

//In functions.php
$expire = 60*60*24*30; // We choose a one year duration
ini_set('session.gc_maxlifetime', $expire);
session_start();

It's also worth mentioning that by establishing lines of code when closing and reopening the browser, the session remains active, but only for a maximum of 2 hours.

Answer 1

TL;DR setcookie lifecycle is confused with the default PHPSESSID cookie lifecycle for $_SESSION>.

For $_SESSION to adhere to the required lifetime, its PHPSESSID cookie must be updated, changing the cookie_lifetime from the default value to one month. This involves manual management of $_SESSION. The following is an example workflow for manually managing $_SESSION:

1. Settingssession_name. (An alternative cookie name to PHPSESSID can be set.)
2. Configure session options. (This can include setting cookie_lifetime.)
3. Create and/or set session_id.
4. Start session. (This step populates $_SESSION based on session_id.)
5. Verify session. (Check whether authentication parameters such as session_id are valid.)
6. Access and modify the $_SESSION value.
7. Close session. (Prevents $_SESSION from making further changes before the session_id is sent to the client.)

This link on

Session Management Basics should be helpful. You can also read PHP Session Fixing/Hijacking.

In the comments, RiggsFolly offered advice worth thinking about, and Chris Haas posted a great reference. Solutions like the reference seem to suggest storing a random string as the user lookup key, and a longer hashed string for verification. Lookups and non-hashed validation strings will use setcookie, while other values ​​can use $_SESSION.