Page 1 of 1

Session management with PHP

Posted: Wed Aug 02, 2006 5:21 pm
by nickk
I am building an application which has a user system. Security is a must here, and I decided not to use cookies. WHat I do is session_start() on every page, and one a user has logged in successfully, I simply define a few session variables used to authenticate the user from page to page. My main concern here is that (as far as I know) there is no "time out" for session, so if a user logs in and leaves their browser open for an arbitrary amount of time, they will still be "logged in". Is simply using sessions an adequate way to manage users? Basically users should only log in for a short period of file, perform an action (details not important), and log out.

Thanks,
Nick

Posted: Wed Aug 02, 2006 5:29 pm
by hawleyjr
Actually there is session timeouts. You can change in in your ini file. The best way to make sure a user doesn't walk away from their pc for some time is to set javascript to run after x minutes and then redirect to a page that will kill their session. Many banks use this type of 'Auto Logoff'

Posted: Wed Aug 02, 2006 5:38 pm
by Ollie Saunders

Code: Select all

session_cache_expire($numMinutes)
may also help.

Posted: Wed Aug 02, 2006 5:45 pm
by RobertGonzalez
Session garbage collection time defaults to 10 minutes in PHP. And they use cookies.

Posted: Wed Aug 02, 2006 6:17 pm
by Ollie Saunders
I thought it was 1440 i.e. 24 minutes. And I never did understand what that really was.

Posted: Wed Aug 02, 2006 6:42 pm
by RobertGonzalez
I forget. I thought it was 10minutes, but it could be 24 minutes.

Posted: Wed Aug 02, 2006 8:23 pm
by bdlang
Just to clarify, the session.gc_maxlifetime setting is defaulted to 1440 (24 minutes, thanks ole), but doesn't necessarily mean anything to your user or your script, because of another set of values: session.gc_probability and session.gc_divisor. These determine whether or not garbage collection is even called to clean up an old session. The defaults here are 1/100, meaning that you have a 1% chance (or 1 in every 100 page requests) that garbage collection is even started. If you have pretty high traffic on your site, you can probably leave this alone, otherwise set it to something like 5/100.

Note that session.cache_limiter is actually defaulted to 'nocache'; the session.cache_expire setting has no validity in this case.

I like hawleyjr's idea, and I think it is the likely candidate.

Google returned some pretty interesting results.

Posted: Thu Aug 03, 2006 6:46 am
by Ollie Saunders
session.gc_probability
probability! PROBABILITY! What use is that?! I can't believe the official GC for sessions is based on probability.

Thanks bdlang for your explainations though. Can you explain the relationship between GC and cache expire. If I want to have control over the time to timeout for my sessions what would I set them all to?
I like hawleyjr's idea, and I think it is the likely candidate.
Its a nice idea but trouble is you can't rely on it server side.