I am building an application which has a user system. Security is a must here, and I decided not to use cookies. WHat I do is session_start() on every page, and one a user has logged in successfully, I simply define a few session variables used to authenticate the user from page to page. My main concern here is that (as far as I know) there is no "time out" for session, so if a user logs in and leaves their browser open for an arbitrary amount of time, they will still be "logged in". Is simply using sessions an adequate way to manage users? Basically users should only log in for a short period of file, perform an action (details not important), and log out.
Thanks,
Nick
Session management with PHP
Moderator: General Moderators
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
Code: Select all
session_cache_expire($numMinutes)- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Just to clarify, the session.gc_maxlifetime setting is defaulted to 1440 (24 minutes, thanks ole), but doesn't necessarily mean anything to your user or your script, because of another set of values: session.gc_probability and session.gc_divisor. These determine whether or not garbage collection is even called to clean up an old session. The defaults here are 1/100, meaning that you have a 1% chance (or 1 in every 100 page requests) that garbage collection is even started. If you have pretty high traffic on your site, you can probably leave this alone, otherwise set it to something like 5/100.
Note that session.cache_limiter is actually defaulted to 'nocache'; the session.cache_expire setting has no validity in this case.
I like hawleyjr's idea, and I think it is the likely candidate.
Google returned some pretty interesting results.
Note that session.cache_limiter is actually defaulted to 'nocache'; the session.cache_expire setting has no validity in this case.
I like hawleyjr's idea, and I think it is the likely candidate.
Google returned some pretty interesting results.
- Ollie Saunders
- DevNet Master
- Posts: 3179
- Joined: Tue May 24, 2005 6:01 pm
- Location: UK
probability! PROBABILITY! What use is that?! I can't believe the official GC for sessions is based on probability.session.gc_probability
Thanks bdlang for your explainations though. Can you explain the relationship between GC and cache expire. If I want to have control over the time to timeout for my sessions what would I set them all to?
Its a nice idea but trouble is you can't rely on it server side.I like hawleyjr's idea, and I think it is the likely candidate.