Session.gc_maxlifetime VS Cookies

I am coding a web app in PHP and I am using session with the开发者_开发百科 famous save handler which stores session in MySQL database. I set session.gc_maxlifetime to 604800 (one week). So, I need to know for a "Remember Me" feature, should I use cookies or is that enough? Because session is always stored in DB for a week - when I close window, then open it I am logged in.

I am not using SID in URL, in my session table I store sid, time, data; time is updated every time. So when the user closes window the session still is registered for one week after that and when he comes back, time is updated again.

You still need cookies. The garbage collector is for the server; it tells PHP when to remove session data from the server. The client still needs a session identifier in order to access the session. The session identifier usually is stored in a cookie. So if the cookie "times out" and is removed from the cookie cache by the webbrowser, the webbrowser does not send the cookie anymore and the server thus cannot match the client to a session anymore.

Summary: There are two parts of a session: The actual data stored at the server, and a cookie which makes the server know that the client is allowed to access the session data on the server. If one is missing, it all won't work anymore.

I Need to know if I Want Remember Me feature , should I use cookies Or That's (sessions) enough ?!!

Sessions should be much more limited in time than a week. Give it an hour or a half max. Sessions should only be active as long as the user is active.

So go for a cookie. Look into existing implementations in open source softwares that are available.