PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
so the session lifetime is 15 minutes.. but I only want it to log them out after 15 minutes of inactivity. How do you do this? Right now, the cookie gets set to expire in 15 minutes, and does not update on every page load.
so the session lifetime is 15 minutes.. but I only want it to log them out after 15 minutes of inactivity.
That sets the cookie life time to 15 minutes, your session may live much longer. Just though someone should point that out for the sake of security.
Personally, I wouldn't count on a cookie to log a user out after certain amount of time because server/client time may not remotely match up or the user could just play with the cookie's expiry. I use nice long cookie expire and check the last time the session was touched (which I store in $_SESSION['last_touched']). When the user is inactive (somthing like $_SESSION['last_touched'] + $lifetime < time()) then destroy the session and delete the cookie. Still probably won't work if the session isn't updated on every page.
Buddha443556 wrote: server/client time may not remotely match up
not true, the spec says that the client decides when to stop sending the cookie based off the client's local system time, regardless of what time the server thinks it is
the user could just play with the cookie's expiry
this is true. but generally not a problem in this context, the user would have to know what he's doing to accomplish this, and all he'd be doing is compromising his own account.
I use nice long cookie expire and check the last time the session was touched (which I store in $_SESSION['last_touched']). When the user is inactive (somthing like $_SESSION['last_touched'] + $lifetime < time()) then destroy the session and delete the cookie. Still probably won't work if the session isn't updated on every page.
Setting session.gc_maxlifetime would be the semantic equivalent of this (except you let PHP handle it).
jshpro2 wrote:not true, the spec says that the client decides when to stop sending the cookie based off the client's local system time, regardless of what time the server thinks it is
My choice of the word "remotely" was bad. "Closely" would of been a better choice. Yes the client decides on local time and that makes short cookie lifetimes hard to pull off.
jshpro2 wrote: Setting session.gc_maxlifetime would be the semantic equivalent of this (except you let PHP handle it).
[I think session.gc_divisor would need to change too. Probably need to change session.gc_divisor to equal "1" which isn't a good idea. However ... ] There's a major different between using session.gc_maxlifetime and my suggestion. GC deals with all sessions records at once and my suggestion only deals with one session at a time on a as needed basis. GC can become a performance problem as the number of sessions increase.
Could always opt for implementing the session handling functions yourself, which would give you more control over when and how sessions are deleted. Database sessions comes to mind here.
Whenever you do posts like these ("Hint, try.."), I think of Starship Troopers where they put up a catch phrase on the screen.. "Would you like to know more?".. hehe.