Selfmade session time-out ok/safe?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
crashonline
Forum Newbie
Posts: 3
Joined: Tue Feb 16, 2010 2:45 pm

Selfmade session time-out ok/safe?

Post by crashonline »

Hi

I use a webhoster for my site and therefore cannot edit the php.ini but I needed a shorter session time-out then the server is set to.

So I came up with this:

Code: Select all

<?php
session_start ();
$now=time();
 
$diff=$now-$_SESSION["time"];
$_SESSION["time"] = $now;
 
if (!isset ($_SESSION["user_id"]) or $_SESSION["zeit"] > 360 )
{
  header ("Location: formular.php");
}
 
?>
This php is included in all the sites, that need to be protected. If the condition is fullfilled, you get back to the log in. If not the parent php continues its work.

$_SESSION["time"] is first set in the login routine.

This definitely works, but is it safe or is their some kind of flaw?

Thx,
Robert
crashonline
Forum Newbie
Posts: 3
Joined: Tue Feb 16, 2010 2:45 pm

Re: Selfmade session time-out ok/safe?

Post by crashonline »

anyone?
xtiano77
Forum Commoner
Posts: 72
Joined: Tue Sep 22, 2009 10:53 am
Location: Texas

Re: Selfmade session time-out ok/safe?

Post by xtiano77 »

This is what I use. I don't know if it is the safest ever but it works for me. I use OOP so if you are using procedural (non-OOP), just remove the "class", "protected" and "public".

Code: Select all

 
<?php
class Sessions {
     protected function setSessionTimer( ){
          //sets the timer to 20 minutes. This is called when the user logs in.
          $_SESSION["TIMER"] = time( ) + 1200;
     }
     public function checkSessionTimer( ){
          if($_SESSION["TIMER"] > time( )){
               //resets the timer back to 20 minutes. This is called on every other page,
               //except for the initial, authentication and logout pages.
               $_SESSION["TIMER"] = time( ) + 1200;
          }else{
               header("Location: http://www.yourPageHere.com/logOut.php");
          }
     }
}
?>
 
I also use a JavaScript "setTimeout( )" function on my pages just in case one doesn't work, then the other will.

Code: Select all

 
<?php
class JavaScript {
     public setTimeout($variableName, $codeToBeCalled, $time){
          print("<script>\n");
          print("var " . $variableName . " = setTimeout(\"" . $codeToBeCalled . "\", ". $time . ");\n");
          print("</script>\n");
     }
}
?>
 
I call the JavaScript function like this: setTimeout("logoutTimer" , "window.location.href = 'http://www.yourPageHere.php/logOut.php'", 20 * 60 * 1000);

Just my two cents. Hope it helps some.

P.S. If you find a better way please share it with us.
crashonline
Forum Newbie
Posts: 3
Joined: Tue Feb 16, 2010 2:45 pm

Re: Selfmade session time-out ok/safe?

Post by crashonline »

Hi

After noticing some faults with my first version I changed it to the following now.

Hopefully this will help someone in the future. (INFO: Everything that goes on on my site happens inside one index.php that calls on itself, if something is happening, so some things might not work for you but can easily be changed or taken out.)

Code: Select all

 
 
<?php
//IF someone has logged in at this point $_SESSION["time"] is already set to the time they did so
 
if (!isset ($_SESSION["user_id"]))  //checks if $_SESSION['user_id'] has been set by login.php, if not...
{
  include ('logincheck.php');         //checks if someone has entered their login-info on the last runthrough and proccesses it if that's the case
  echo '<p>Please enter your login information.</p>';  //if that isn't the case either the login form and the bottom part of the html are included and the server is stopped
  include ('form.php');
  include ('endpage.php');
  exit;
}
 // if SESSION[user_id] WAS set...
 
 
$now=time();            //get the current time
if ($_SESSION["time"]+600 < $now)    //if the current time is greater than the login time plus 600 seconds (10 min)....
{
 
ob_start ();
 session_start ();
session_unset ();
session_destroy ();
ob_end_flush ();                               // end the session
 
echo '<p>Please log in again.</p>';     
  include ('formular.php');
  include ('endpage.php');
  exit;                                            //the login form is displayed again and the php is ended
}
else
{
  $_SESSION[zeit]=$jetzt;                 //if (on the other hand) the 600 seconds haven't passed yet, the session time is reset to the current time, so the user has 10 minutes (600 seconds) again before the session time runs out.
}
 
?>
Any suggestions?
xtiano77
Forum Commoner
Posts: 72
Joined: Tue Sep 22, 2009 10:53 am
Location: Texas

Re: Selfmade session time-out ok/safe?

Post by xtiano77 »

I would remove "session_unset( )" and insert the code below.

Code: Select all

 
     $_SESSION = array( );
     session_destroy( );
     setcookie("PHPSESSID", "", time( ) - 1200, "/", ".yourWebSiteHere.com");
 
Just my 0.02 cents.
Post Reply