ini_set('session.cookie_lifetime', 0);

[mfurlend]

On lines 235-237 you have this code:

// make sure session cookies never expire so that session lifetime
// will depend only on the value of $session_lifetime
ini_set('session.cookie_lifetime', 0);

That statement does not make "session cookies never expire." It makes the cookies expire when the browser is closed. In my case this caused authenticated users to be logged off upon termination of the session/browser.

Is this a bug or the intended behavior?

[voku]

"To clear any confusions that may arise: in reality, session.gc_maxlifetime
does not represent a session's lifetime but the number of seconds after
which a session is seen as garbage and is deleted by the garbage
collection routine. The PHP setting that sets a session's lifetime is
session.cookie_lifetime and is usually set to "0" - indicating that
a session is active until the browser/browser tab is closed. When this class
is used, a session is active until the browser/browser tab is closed and/or
a session has been inactive for more than the number of seconds specified
by session.gc_maxlifetime." - Zebra_Session.php

[mfurlend]

I see that, but if this class is supposed to serve as a drop-in replacement for PHP's built-in session handling shouldn't that line not be there? What is the purpose of ini_set('session.cookie_lifetime', 0)? In my case, I did not want the session to be destroyed when the browser is closed.

[jmathai]

Agree with @mfurlend. To use this (wonderful) library we need to fork and change that line of code. Even if we have session.cookie_lifetime set to something longer in php.ini this class will override it.

I don't think it's a valid assumption that site owners typically want sessions to end when a browser is closed.

[stefangabos]

This is now fixed by a01bdee