Level 50
as we discussed here: https://laracasts.com/discuss/channels/laravel/how-to-set-the-cookie-expire-value-as-session
edit expire_on_close in config/session.php and set it to true
'expire_on_close' => true,
Oct 17, 2023
13
Level 2
How to change the 'laravel_session' and 'XSRF-TOKEN' Expires/Max-age value to 'Session' instead of a timespan ?
Dear Friends,
I am using Laravel 10.10 . As part of my application security audit the team compel to change the value of Expires/Max-age value of 'laravel_session' & 'XSRF-TOKEN' to "Session".
Please see the screenshot 
My required model is
Waiting your reply
Thanks
Anes P A
Level 2
@s4muel As per expert opinion "'expire_on_close' => true: When you set this option to true, the session cookie will have no specific expiration time set, and it will be deleted when the user closes their browser (i.e., when the browser session ends). The Expires and Max-Age attributes of the cookie will not be set, effectively making it a session cookie." In my case too it's not working , I already set it..
Thanks
Anes P A
Level 50
@insight exactly as you say "...effectively making it a session cookie", that is what it is, the value "Session" you see is just fictional, not a real value, to indicate it it a session cookie
Level 122
Read this page https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
to understand why you do not set the cookie value to 'Session'
Your browser shows the label 'Session' to indicate that the expiry is not set. It is the absence of the expiry parameter that makes it last only until the browser is closed
Level 2
Got answer today. I wrote deatail in URL : https://laravel.io/forum/how-to-change-the-laravel-session-and-xsrf-token-expires
Thanks
Anes P A
1 like
Level 50
@insight do i see correctly, that you set 'expire_on_close' => true in config/session.php as your solution (as in the url you posted) or am i missing something?
Level 2
@s4muel It's also a step of solution... But not whole solution.
Level 50
@insight and what was the main problem then?
did you try setting it (just the expire_on_close) on fresh laravel project? try it and see for yourself that it just works as you want. and find out why it doesnt work on your current project. instead of messing up with custom session and csrf middlewares that can bite you in the future.
and what is the purpose of this? 'lifetime' => env('SESSION_LIFETIME', 'Session') do you even use it anywhere?
🤯
Level 2
@s4muel That line has not any special significance. I already set
SESSION_LIFETIME=120
in .env file . So 2 hours (120 mins) will take in effect on that line.
Level 122
@insight expect your security people to complain that cookies are not https only
you should also remove 'Session' from this line
'lifetime' => env('SESSION_LIFETIME', 'Session'),
as it is misleading and nothing to do with the solution
Level 2
So remove 'Session' and put that line like
'lifetime' => env('SESSION_LIFETIME', 120),
If I like to give session time out as 2 hours . Am I right @Snapey ?
Level 122
You still don't understand env() function?
parameter 1 is the environment variable to use
parameter 2 is the FALLBACK default value if the environment key is not found
So in your example, the session lifetime will be set to 120 ONLY IF the .env has no SESSION_LIFETIME
Level 2
@Snapey I got your point ... Thanks sir.
Please or to participate in this conversation.