Is it possible to make web login with fingerprint?

For login I used
$_SESSION["id"] = $user_id

and to check if user is signed in
session_start()
if(!isset($_SESSION["id"] || empty($_SESSION["id"])
header("Location: /login/");

Most people use this on the phone, and I would still let people use normal log in but when they are on the phone they could sign in with fingerprint

save it for 30 days and people won't complain.

how fucking secure do you need it? a password works fine for 99% of sites

you allow session hijacking if someone grabs an ID
set a cookie for that user as well, a hash of their user ID
so a person hijacking has to get the session ID + the hash of the userID (and match them) in order to login.

also
stackoverflow.com/questions/8764287/set-session-to-expire-in-1-month-php

I believe a company is working on standardizing something for this.
It'll be shit.

Use a cookie. That's what they're there for.
You could even make it so that the (valid) cookie only removes the need for the 2nd factor auth so they just password instead.

Depends on what you mean by fingerprint log in.
First, fingerprint scanning isn't suitable for identification because of type II errors. You can accidentally log in someone in wrong account. Also looping over the entire database of users and verifying random fingerprints until you get a match is retarded and slow. If you also provide a login and only use fingerprints for authentification, it should be fine.
Second, obviously browsers don't provide fingerprint scanning. And there's no api in webextensions either. You need to be able to install a separate binary application on every machine that needs to access your website. And write an web extension that will exchange messages with that binary and take control of the session in browser. Honestly NFC cards would be much more suitable for this but browsers don't support them either.
Though firefox (and only firefox) provides pkcs11 api for webextension. This by far will be the most reliable way and easy to deploy. Google pkcs11, it's an standard for cryptographic tokens. Issue usb tokens to users and read your auth data from protected memory. Might as well implement singatures for critical data or setup SSL with those tokens.

So I set
ini_set('session.gc_maxlifetime', 2678400);
Every time after session_start() ?

Looks like it'll keep extending it when refreshed in that scenario.

working right now so didn't read but:

stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes

way more specific info there, I think setting it for 24 hours is smart, because if they come back every 24 hours they won't have to login.. but if they stay away for more than 24 hours then they have to log back in.

>cookies
>sessions

has no one in this thread heard of local storage before?

cookie = local storage

Wrong.

PayPal app accepts login and pay with finger print

No, cookies are local storage.

it's a native mobile app not web

localstorage is cancer. Especially if you want to store session there.