I know this must be a problem that has been repeatedly solved, so I am looking for the "best practices" solution.
In particular, if I have a page with a large textfield on it and expect the user to be there fore awhile:
1) how do I make it so that the session doesn't timeout? at current when the above situation results in the session timing out by the time the user tries to submit changes. I don't want to just remove timeouts because they have an inherent security property that it seems irresponsible to discard
2) if I cannot get around the timeout problem, is there any way to make it so that the user can at least hit back or something and not lose everything they typed? nothing is worse than spending half an hour typing up something just to be told that your session timed out and discovering that your work has vanished into the ether
Handling Session Timeouts
Moderator: General Moderators
"loose reliance on PHP's session handler and just store everything in the cookie" encompasses that, but yeah that's what I do (have a session object and a database of sessions, sessions don't timeout they get removed by a cron job after 24 hours of inactivity)feyd wrote:create your own session handler
what I would suggest if you want to go the ajax route
is having a hidden iframe that contains a page that reloads itself every 45 seconds or so and saves what's in the form
something like this
Now, I don't even know if that's a correct way to mix javascript and php (probably not). If it isn't, consider it psuedo-code
The idea behind it is still correct if that's the way you want to go.
is having a hidden iframe that contains a page that reloads itself every 45 seconds or so and saves what's in the form
something like this
Code: Select all
<html>
<head>
<title>Hidden PageSaver</title>
</head>
<body>
<?php
// send to a database
mysql_query("
INSERT INTO
`sometable` (
`contents`,
`time`
) VALUES (
'".mysql_real_escape_string(htmlentities(
?>
<script type="text/javascript">
document.formName.formField.value;
</script>
<?
))."'.
'".time()."'
)
") or die(mysql_error());
?>
<!-- reload the page -->
<script type="text/javascript">
function reloadPage(){
document.reload();
}
setTimeOut(reloadPage,45000);
</script>
</body>
</html>Set Search Time - A google chrome extension. When you search only results from the past year (or set time period) are displayed. Helps tremendously when using new technologies to avoid outdated results.
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Well... you can take measures to avoid that. We keep the session data in a database for 8 hours. If a user is inactive for over 15 mins we "lock" the session and prompt for a password to re-activate it. We use AJAX too... but it's a bit more specific to our app and I'd prob get in trouble for posting the source.zeveck wrote:24 hours? The security risks inherent in that are rather high, since it means that if somebody just walks away from a logged in session it remains usable for an entire day. =/
Any links on the ajax suggestion?
This would be a basic way to update the time of last activity using AJAX every 45 secs:
Code: Select all
var http;
if (window.XMLHttpRequest)
{
http = new XMLHttpRequest();
}
else if (window.ActiveXObject)
{
try {
http = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
http = false;
}
}
else http = false;
function updateSession()
{
http.open("GET", 'session_updater.php', true);
http.send(false);
}
window.setTimeout(function() { updateSession(); }, 45000);Code: Select all
session_start();
$sessid = session_id();
$query = "update session_table set last_active = ".time()." where session_id = '".$sessid."'";
mysql_query($query);