Page 1 of 1

How do you renew sessions?

Posted: Sat Mar 11, 2006 10:33 am
by chrys
Hi,

I set my

Code: Select all

session_set_cookie_params( 60*15 );
so the session lifetime is 15 minutes.. but I only want it to log them out after 15 minutes of inactivity. How do you do this? Right now, the cookie gets set to expire in 15 minutes, and does not update on every page load.

Thanks!

Posted: Sat Mar 11, 2006 10:36 am
by feyd
so long as you set that option and start the session, it should get updated.

Posted: Sat Mar 11, 2006 10:37 am
by chrys
I run a session_start() before any output as usual, but it still does not update the cookie :/

I have noticed this several times in the past, I just have never really had to fix it before, lol. Any more ideas?

Posted: Sat Mar 11, 2006 10:38 am
by feyd
do you set the options before starting the session on each of the pages?

Posted: Sat Mar 11, 2006 10:42 am
by chrys
I do

Code: Select all

session_set_cookie_params( 60*15 );

/* Constants */
include( $base_dir . "/lib/Constants.php" );

/* Database info */
$db_host = "";
$db_user = "";
$db_pass = "";
$db_name = "";

/* Smarty templater Variables */
require( $base_dir . 'smarty/Smarty.class.php' );
$smarty = new Smarty();

/* Initiate the Database class */
require( $base_dir . "/lib/Database.class.php" );
$db = new Database( $db_host, $db_user, $db_pass, $db_name );

/* Initiate the User class */
require( $base_dir . "/lib/User.class.php" );
$User = new User();
$User->Update();
$User->loadUser();
$User->Update() is basically session_start();

Posted: Sun Mar 12, 2006 6:44 am
by chrys
Any more ideas?

Posted: Sun Mar 12, 2006 9:30 am
by Buddha443556

Code: Select all

session_set_cookie_params( 60*15 );
so the session lifetime is 15 minutes.. but I only want it to log them out after 15 minutes of inactivity.
That sets the cookie life time to 15 minutes, your session may live much longer. Just though someone should point that out for the sake of security.

Personally, I wouldn't count on a cookie to log a user out after certain amount of time because server/client time may not remotely match up or the user could just play with the cookie's expiry. I use nice long cookie expire and check the last time the session was touched (which I store in $_SESSION['last_touched']). When the user is inactive (somthing like $_SESSION['last_touched'] + $lifetime < time()) then destroy the session and delete the cookie. Still probably won't work if the session isn't updated on every page.

Posted: Sun Mar 12, 2006 10:30 am
by josh
Buddha443556 wrote: server/client time may not remotely match up
not true, the spec says that the client decides when to stop sending the cookie based off the client's local system time, regardless of what time the server thinks it is
the user could just play with the cookie's expiry
this is true. but generally not a problem in this context, the user would have to know what he's doing to accomplish this, and all he'd be doing is compromising his own account.
I use nice long cookie expire and check the last time the session was touched (which I store in $_SESSION['last_touched']). When the user is inactive (somthing like $_SESSION['last_touched'] + $lifetime < time()) then destroy the session and delete the cookie. Still probably won't work if the session isn't updated on every page.
Setting session.gc_maxlifetime would be the semantic equivalent of this (except you let PHP handle it).

Code: Select all

session.gc_maxlifetime  integer

    session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up.

Posted: Sun Mar 12, 2006 12:48 pm
by Buddha443556
jshpro2 wrote:not true, the spec says that the client decides when to stop sending the cookie based off the client's local system time, regardless of what time the server thinks it is
My choice of the word "remotely" was bad. :oops: "Closely" would of been a better choice. Yes the client decides on local time and that makes short cookie lifetimes hard to pull off.
jshpro2 wrote: Setting session.gc_maxlifetime would be the semantic equivalent of this (except you let PHP handle it).
[I think session.gc_divisor would need to change too. Probably need to change session.gc_divisor to equal "1" which isn't a good idea. However ... ] There's a major different between using session.gc_maxlifetime and my suggestion. GC deals with all sessions records at once and my suggestion only deals with one session at a time on a as needed basis. GC can become a performance problem as the number of sessions increase.

Posted: Sun Mar 12, 2006 12:50 pm
by feyd
Could always opt for implementing the session handling functions yourself, which would give you more control over when and how sessions are deleted. Database sessions comes to mind here.

Posted: Sun Mar 12, 2006 1:30 pm
by Roja
feyd wrote:Database sessions comes to mind here.
Whenever you do posts like these ("Hint, try.."), I think of Starship Troopers where they put up a catch phrase on the screen.. "Would you like to know more?".. hehe.

Posted: Sun Mar 12, 2006 1:50 pm
by josh
Yes, if you handle the sessions yourself just add a where clause that prevents you from grabbing old data.