Make sessions never expire with $config['sess_expiration'] = -1

[faunatrader]

According to the documentation:

sess_expiration > 0 => "The number of SECONDS you want the session to last."
sess_expiration = 0 => "Setting to 0 (zero) means expire when the browser is closed."

Can we please have a -1 configuration, for sessions that never expire?

Thank you.

[michalsn]

The answer is simple - no. This is a really bad idea and we won't be encouraging this type of thing.

Although you're free to increase the sessioExpiration time to any number you need.

[faunatrader]

Why is it a bad idea? Frameworks shouldn't constraint design choices.

[michalsn]

Why is it a bad idea? Frameworks shouldn't constraint design choices.

But at the same time, the framework shouldn't encourage using bad/insecure design choices. That's why it won't be implemented into the core. You can read more about session management recommendations here.

Nothing stops you from setting sessionExpiration to 1 year or so... Also you can implement "remember me" functionality that will live "forever" if you want. You can do all these things if you want and we can't stop you.

[faunatrader]

You have no idea about the system we are creating, requirements, audience, etc. You are encouraging silly workarounds based on unfounded mind-reading skills which you do not have.

[paulbalandan]

A never expiring session is a really bad idea, in terms of security. You are practically inviting hackers to exploit your web app by using session-based attacks.

This is not a silly design choice. What you are proposing into the core is rather insecure. Users would not want to use a framework that is promoting vulnerabilities within itself.

[michalsn]

I agree with you that I have no idea about the system you're creating, its requirements, etc. but even if the idea of the never expiring session may fit your project's needs it certainly doesn't fit the framework's core. Sorry.