How to Extend CodeIgniter Session Expiration Time (Complete Guide)

Sessions are crucial for managing user login states, preferences, and temporary data in web applications. In CodeIgniter, session expiration is configurable, but many developers find it tricky to properly extend session duration without introducing security or usability issues.

This guide covers how to extend session expiration in CodeIgniter, with practical steps, a full working example, tips, and common mistakes to avoid.

Why You Might Want to Extend Session Expiry

• Keep users logged in for longer periods.

• Prevent session timeouts during lengthy forms or file uploads.

• Improve user experience in dashboards or internal apps.

Step-by-Step: Extending Session Expiry in CodeIgniter

CodeIgniter’s session configuration can be controlled via the application/config/config.php file. You can also control session behavior dynamically via code.

✅ Step 1: Locate the Session Configuration File

Open:

/application/config/config.php

Look for the session-related keys:

$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200; // Default: 2 hours (in seconds)
$config['sess_save_path'] = sys_get_temp_dir();
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;

✅ Step 2: Increase sess_expiration Time

To extend the session to 24 hours, set:

$config['sess_expiration'] = 86400; // 60*60*24

To keep sessions alive until the browser is closed, use:

$config['sess_expiration'] = 0;

✅ Step 3: Update Cookie Expiration (Optional)

Also update cookie timeout if using 'sess_expiration' > 0:

$config['cookie_lifetime'] = 86400; // Set to match session expiration

✅ Step 4: Regenerate Session Less Frequently (Optional)

This prevents session ID changes that may disrupt long sessions.

$config['sess_time_to_update'] = 3600; // Regenerate session ID every hour

Full Working Example

config.php Snippet

$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 86400; // 24 hours
$config['sess_save_path'] = APPPATH.'sessions'; // Make sure directory exists and is writable
$config['sess_time_to_update'] = 3600;
$config['cookie_lifetime'] = 86400;

Create the sessions directory if using the 'files' driver:

mkdir application/sessions
chmod 0777 application/sessions

Controller Example: Using Session in Code

class Dashboard extends CI_Controller {
    public function index() {
        $this->load->library('session');

        // Set a session variable
        $this->session->set_userdata('user_id', 101);

        // Access session variable
        echo "User ID is: " . $this->session->userdata('user_id');
    }
}

Using Session on Another Page

class Profile extends CI_Controller {
    public function index() {
        $this->load->library('session');

        if ($this->session->has_userdata('user_id')) {
            echo "Session still active for user: " . $this->session->userdata('user_id');
        } else {
            echo "Session expired or not found.";
        }
    }
}

Tips

1. ✅ Set sess_expiration = 0 for login until browser is closed — but not ideal for public computers.

2. ✅ Use sess_driver = 'database' for large or high-traffic apps — more robust than files.

3. ✅ Ensure your server respects PHP session lifetime:

   session.gc_maxlifetime = 86400
   

   (in php.ini or via .htaccess)

4. ✅ Store session files outside web root for better security if using file driver.

5. ✅ Use remember me functionality with tokens, rather than just extending sessions indefinitely.

⚠️ Common Pitfalls

• ❌ Only changing CodeIgniter config but not PHP settings: If php.ini still expires sessions early (e.g., 1440s), you'll lose session data even with sess_expiration set higher.

• ❌ Not creating or securing the session save path: Especially if using 'files' driver and custom sess_save_path.

• ❌ Session data not persisting? Check browser cookies and ensure 'ci_session' is not being cleared.

• ❌ High sess_time_to_update values can delay session ID regeneration, possibly increasing security risk if not handled properly.

Bonus: Forcing Session Expiry Programmatically

You can also manually destroy or extend sessions:

// Destroy session
$this->session->sess_destroy();

// Extend session timeout (temporary)
$this->session->sess_expiration = 172800; // 2 days (in code, per request)

⚠️ Per-request settings do not persist — config settings are recommended for consistency.

Conclusion

Extending session expiration time in CodeIgniter is straightforward — just be sure to update both your CodeIgniter and PHP configurations. Sessions are powerful, but with power comes responsibility — so keep an eye on security when adjusting their lifetimes.