Page 1 of 1
Selfmade session time-out ok/safe?
Posted: Tue Feb 16, 2010 2:54 pm
by crashonline
Hi
I use a webhoster for my site and therefore cannot edit the php.ini but I needed a shorter session time-out then the server is set to.
So I came up with this:
Code: Select all
<?php
session_start ();
$now=time();
$diff=$now-$_SESSION["time"];
$_SESSION["time"] = $now;
if (!isset ($_SESSION["user_id"]) or $_SESSION["zeit"] > 360 )
{
header ("Location: formular.php");
}
?>
This php is included in all the sites, that need to be protected. If the condition is fullfilled, you get back to the log in. If not the parent php continues its work.
$_SESSION["time"] is first set in the login routine.
This definitely works, but is it safe or is their some kind of flaw?
Thx,
Robert
Re: Selfmade session time-out ok/safe?
Posted: Thu Feb 18, 2010 5:03 am
by crashonline
anyone?
Re: Selfmade session time-out ok/safe?
Posted: Thu Feb 18, 2010 9:10 am
by xtiano77
This is what I use. I don't know if it is the safest ever but it works for me. I use OOP so if you are using procedural (non-OOP), just remove the "class", "protected" and "public".
Code: Select all
<?php
class Sessions {
protected function setSessionTimer( ){
//sets the timer to 20 minutes. This is called when the user logs in.
$_SESSION["TIMER"] = time( ) + 1200;
}
public function checkSessionTimer( ){
if($_SESSION["TIMER"] > time( )){
//resets the timer back to 20 minutes. This is called on every other page,
//except for the initial, authentication and logout pages.
$_SESSION["TIMER"] = time( ) + 1200;
}else{
header("Location: http://www.yourPageHere.com/logOut.php");
}
}
}
?>
I also use a JavaScript "setTimeout( )" function on my pages just in case one doesn't work, then the other will.
Code: Select all
<?php
class JavaScript {
public setTimeout($variableName, $codeToBeCalled, $time){
print("<script>\n");
print("var " . $variableName . " = setTimeout(\"" . $codeToBeCalled . "\", ". $time . ");\n");
print("</script>\n");
}
}
?>
I call the JavaScript function like this: setTimeout("logoutTimer" , "window.location.href = '
http://www.yourPageHere.php/logOut.php'", 20 * 60 * 1000);
Just my two cents. Hope it helps some.
P.S. If you find a better way please share it with us.
Re: Selfmade session time-out ok/safe?
Posted: Thu Feb 18, 2010 11:58 am
by crashonline
Hi
After noticing some faults with my first version I changed it to the following now.
Hopefully this will help someone in the future. (INFO: Everything that goes on on my site happens inside one index.php that calls on itself, if something is happening, so some things might not work for you but can easily be changed or taken out.)
Code: Select all
<?php
//IF someone has logged in at this point $_SESSION["time"] is already set to the time they did so
if (!isset ($_SESSION["user_id"])) //checks if $_SESSION['user_id'] has been set by login.php, if not...
{
include ('logincheck.php'); //checks if someone has entered their login-info on the last runthrough and proccesses it if that's the case
echo '<p>Please enter your login information.</p>'; //if that isn't the case either the login form and the bottom part of the html are included and the server is stopped
include ('form.php');
include ('endpage.php');
exit;
}
// if SESSION[user_id] WAS set...
$now=time(); //get the current time
if ($_SESSION["time"]+600 < $now) //if the current time is greater than the login time plus 600 seconds (10 min)....
{
ob_start ();
session_start ();
session_unset ();
session_destroy ();
ob_end_flush (); // end the session
echo '<p>Please log in again.</p>';
include ('formular.php');
include ('endpage.php');
exit; //the login form is displayed again and the php is ended
}
else
{
$_SESSION[zeit]=$jetzt; //if (on the other hand) the 600 seconds haven't passed yet, the session time is reset to the current time, so the user has 10 minutes (600 seconds) again before the session time runs out.
}
?>
Any suggestions?
Re: Selfmade session time-out ok/safe?
Posted: Fri Feb 19, 2010 1:51 pm
by xtiano77
I would remove "session_unset( )" and insert the code below.
Code: Select all
$_SESSION = array( );
session_destroy( );
setcookie("PHPSESSID", "", time( ) - 1200, "/", ".yourWebSiteHere.com");
Just my 0.02 cents.