How do you renew sessions?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

How do you renew sessions?

Post by chrys »

Hi,

I set my

Code: Select all

session_set_cookie_params( 60*15 );
so the session lifetime is 15 minutes.. but I only want it to log them out after 15 minutes of inactivity. How do you do this? Right now, the cookie gets set to expire in 15 minutes, and does not update on every page load.

Thanks!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

so long as you set that option and start the session, it should get updated.
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

I run a session_start() before any output as usual, but it still does not update the cookie :/

I have noticed this several times in the past, I just have never really had to fix it before, lol. Any more ideas?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

do you set the options before starting the session on each of the pages?
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

I do

Code: Select all

session_set_cookie_params( 60*15 );

/* Constants */
include( $base_dir . "/lib/Constants.php" );

/* Database info */
$db_host = "";
$db_user = "";
$db_pass = "";
$db_name = "";

/* Smarty templater Variables */
require( $base_dir . 'smarty/Smarty.class.php' );
$smarty = new Smarty();

/* Initiate the Database class */
require( $base_dir . "/lib/Database.class.php" );
$db = new Database( $db_host, $db_user, $db_pass, $db_name );

/* Initiate the User class */
require( $base_dir . "/lib/User.class.php" );
$User = new User();
$User->Update();
$User->loadUser();
$User->Update() is basically session_start();
User avatar
chrys
Forum Contributor
Posts: 118
Joined: Tue Oct 04, 2005 9:41 am
Location: West Roxbury, MA (Boston)

Post by chrys »

Any more ideas?
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

Code: Select all

session_set_cookie_params( 60*15 );
so the session lifetime is 15 minutes.. but I only want it to log them out after 15 minutes of inactivity.
That sets the cookie life time to 15 minutes, your session may live much longer. Just though someone should point that out for the sake of security.

Personally, I wouldn't count on a cookie to log a user out after certain amount of time because server/client time may not remotely match up or the user could just play with the cookie's expiry. I use nice long cookie expire and check the last time the session was touched (which I store in $_SESSION['last_touched']). When the user is inactive (somthing like $_SESSION['last_touched'] + $lifetime < time()) then destroy the session and delete the cookie. Still probably won't work if the session isn't updated on every page.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Buddha443556 wrote: server/client time may not remotely match up
not true, the spec says that the client decides when to stop sending the cookie based off the client's local system time, regardless of what time the server thinks it is
the user could just play with the cookie's expiry
this is true. but generally not a problem in this context, the user would have to know what he's doing to accomplish this, and all he'd be doing is compromising his own account.
I use nice long cookie expire and check the last time the session was touched (which I store in $_SESSION['last_touched']). When the user is inactive (somthing like $_SESSION['last_touched'] + $lifetime < time()) then destroy the session and delete the cookie. Still probably won't work if the session isn't updated on every page.
Setting session.gc_maxlifetime would be the semantic equivalent of this (except you let PHP handle it).

Code: Select all

session.gc_maxlifetime  integer

    session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up.
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

jshpro2 wrote:not true, the spec says that the client decides when to stop sending the cookie based off the client's local system time, regardless of what time the server thinks it is
My choice of the word "remotely" was bad. :oops: "Closely" would of been a better choice. Yes the client decides on local time and that makes short cookie lifetimes hard to pull off.
jshpro2 wrote: Setting session.gc_maxlifetime would be the semantic equivalent of this (except you let PHP handle it).
[I think session.gc_divisor would need to change too. Probably need to change session.gc_divisor to equal "1" which isn't a good idea. However ... ] There's a major different between using session.gc_maxlifetime and my suggestion. GC deals with all sessions records at once and my suggestion only deals with one session at a time on a as needed basis. GC can become a performance problem as the number of sessions increase.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Could always opt for implementing the session handling functions yourself, which would give you more control over when and how sessions are deleted. Database sessions comes to mind here.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

feyd wrote:Database sessions comes to mind here.
Whenever you do posts like these ("Hint, try.."), I think of Starship Troopers where they put up a catch phrase on the screen.. "Would you like to know more?".. hehe.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Post by josh »

Yes, if you handle the sessions yourself just add a where clause that prevents you from grabbing old data.
Post Reply