Is extending cookie.gc_maxlifetime to one week a good idea for implementing 'Remember me'

The default setting of cookie.gc_maxlifetime is 24 minutes, so even if I set the cookie to expire in one week the 'Remember me' will work for 2开发者_如何学C4 minutes so I thought about extending gc_maxlifetime, but maybe there is a better solution?

Garbage collector is called that because it really collects garbage: if you don't delete old session files then anyone can simply go billions GET / requests on your site(without saving cookies) and your server will generate billions of session files that will not be deleted for a week - it may slow down your site considerably or even mess with your filesystem. If you want to implement "remember me" feature - then you will have to do your own garbage collection (for example no more then 100 sessions from the same IP, etc.) and maby even implement your own session handling (for example store them in database to increase session data lookup speed and prepare for better scalability).

I guess session.gc_maxlifetime and maybe session.cookie_lifetime is what you mean?

Well, you could do it that way, make your session live that long. I would prefer not to use inbuilt session handling, instead I would set a cookie with my desired lifetime and some hash value; and I would persist that hash in a database.

Having a "normal" session last that long is no good idea IMO, e.g. for security reasons.