Session management with PHP

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nickk
Forum Newbie
Posts: 7
Joined: Sun Feb 12, 2006 9:56 am

Session management with PHP

Post by nickk »

I am building an application which has a user system. Security is a must here, and I decided not to use cookies. WHat I do is session_start() on every page, and one a user has logged in successfully, I simply define a few session variables used to authenticate the user from page to page. My main concern here is that (as far as I know) there is no "time out" for session, so if a user logs in and leaves their browser open for an arbitrary amount of time, they will still be "logged in". Is simply using sessions an adequate way to manage users? Basically users should only log in for a short period of file, perform an action (details not important), and log out.

Thanks,
Nick
User avatar
hawleyjr
BeerMod
Posts: 2170
Joined: Tue Jan 13, 2004 4:58 pm
Location: Jax FL & Spokane WA USA

Post by hawleyjr »

Actually there is session timeouts. You can change in in your ini file. The best way to make sure a user doesn't walk away from their pc for some time is to set javascript to run after x minutes and then redirect to a page that will kill their session. Many banks use this type of 'Auto Logoff'
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Code: Select all

session_cache_expire($numMinutes)
may also help.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Session garbage collection time defaults to 10 minutes in PHP. And they use cookies.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

I thought it was 1440 i.e. 24 minutes. And I never did understand what that really was.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

I forget. I thought it was 10minutes, but it could be 24 minutes.
bdlang
Forum Contributor
Posts: 395
Joined: Tue May 16, 2006 8:46 pm
Location: Ventura, CA US

Post by bdlang »

Just to clarify, the session.gc_maxlifetime setting is defaulted to 1440 (24 minutes, thanks ole), but doesn't necessarily mean anything to your user or your script, because of another set of values: session.gc_probability and session.gc_divisor. These determine whether or not garbage collection is even called to clean up an old session. The defaults here are 1/100, meaning that you have a 1% chance (or 1 in every 100 page requests) that garbage collection is even started. If you have pretty high traffic on your site, you can probably leave this alone, otherwise set it to something like 5/100.

Note that session.cache_limiter is actually defaulted to 'nocache'; the session.cache_expire setting has no validity in this case.

I like hawleyjr's idea, and I think it is the likely candidate.

Google returned some pretty interesting results.
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

session.gc_probability
probability! PROBABILITY! What use is that?! I can't believe the official GC for sessions is based on probability.

Thanks bdlang for your explainations though. Can you explain the relationship between GC and cache expire. If I want to have control over the time to timeout for my sessions what would I set them all to?
I like hawleyjr's idea, and I think it is the likely candidate.
Its a nice idea but trouble is you can't rely on it server side.
Post Reply