Ad

Sessions - Should A Session Cookie Be Refreshed For Each Request?

- 1 answer

I notice that when using sessions in a Laravel application, the Set-Cookie header is set for each request.

First response:

Set-Cookie:laravel_session=eyJpdiI6ImFHN3BkcVRJY2lPOGN0SUJrRWdQcnc9PSIsInZhbHVlIjoiY2FIYkFHSXpsSzBcL3NEN2o0ZnpGVXZ4ajNPXC9OWSswVFJnUmZQTWdsTGRobzR6OTIxV1wvK3JwOTE0dldcL1JjUXRaZjNyQkhcLytONFFLenJhOVloM3dmZz09IiwibWFjIjoiMzZhYTdjMzZlNzk5ODFiNmFjOGJlOGVjNmYzNmZhOWEyYjhjOTFhZjY0NjJhZTE5MWFlMWM4NjllNjc0N2JhOSJ9; expires=Sat, 30-Jan-2016 21:45:04 GMT; Max-Age=7200; path=/; httponly

Second response:

Set-Cookie:laravel_session=eyJpdiI6IjJUREdPOGZoRjlOeXJYeWhhU0R3amc9PSIsInZhbHVlIjoiZ0N5YURPRGZkN3dRMDFhcjJDNWVhdUZPMkJyXC9qOXVCM3dCK3MzbFVjd1pKNUhXRVVFT3lnTnlqVlZVQVpaYnVOUGtvV1wvRVFpWHI4dEdrMXo5QUpuUT09IiwibWFjIjoiOGI3OTc5YjE2MjQ0MDlhYTM4YWZmODhmZmQ0OWIxMWU4YjQ4ZDU3M2JjZmI3NmZmMWViNjg4NjI3ZDk1ODkxZiJ9; expires=Sat, 30-Jan-2016 21:47:50 GMT; Max-Age=7200; path=/; httponly

the two strings are slightly different

The browser is sending the appropriate Cookie header for each request

I wonder if that's the intended behaviour and if it's necessary for updating the expire time, or it can be set only for the first request and then the browser can just send it back for the following ones?

Ad

Answer

Yes, it's updating the expiration time. If it didn't, the session would expire two hours after the user's first page hit, regardless of whether they were still using the site. By sending it every time, the app ensures that the session expires two hours after their last page hit.

Ad
source: stackoverflow.com
Ad