session timeout

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
scatty1985
Forum Newbie
Posts: 24
Joined: Fri Dec 18, 2009 8:57 am

session timeout

Post by scatty1985 »

Hi,

I'm trying to use session timeout to log a user out if they have been inactive for a period of time. I've been using this idea to play about with sessions and challenge response authentication. I wanted to include a facility to time out a session after say 5 minutes.

I tried adding the following to the login.php file where the session is first created. However the session never seems to time out.

Code: Select all

<?
ini_set('session.gc_maxlifetime', 30); // Session lifetime
session_start();
....
?>
Can anyone offer any help as to what I'm doing wrong?

Thanks!
User avatar
AbraCadaver
DevNet Master
Posts: 2572
Joined: Mon Feb 24, 2003 10:12 am
Location: The Republic of Texas
Contact:

Re: session timeout

Post by AbraCadaver »

There are other setting which control the session garbage collection. You also might look at session_set_cookie_params(). I personally would set a session var to the current time and then check that on each page load and if the session var time +300 is >= the current time then session_destroy().
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: session timeout

Post by kaisellgren »

You could include a timestamp within the session that you will use to compare against the current page reload time to see if the last attempt was made over 5 minutes ago.

Or you could use just set session.cookie_lifetime to 5 minutes.
rufio1717
Forum Newbie
Posts: 13
Joined: Fri Feb 12, 2010 3:56 pm

Re: session timeout

Post by rufio1717 »

Put this on the top of every page

Code: Select all

// set timeout period in seconds
$inactive = 900;
// check to see if $_SESSION['timeout'] is set
    if(isset($_SESSION['timeout']) ) 
    {
        $session_life = time() - $_SESSION['timeout'];
        if($session_life >= $inactive)
        {
        // Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}
 
// Finally, destroy the session.
session_destroy();
header("Location:logout.php");exit;
        }
    }
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: session timeout

Post by timWebUK »

Slightly off topic, but related to the thread you posted.

Is that Challenge-Response method actually good alternative to SSL... to say for example, implementing an app that people could download, install and when configuring choose SSL (if they have it) and if not, they can choose Challenge-Response?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: session timeout

Post by kaisellgren »

@rufio1717: FYI, your code sample is vulnerable to CSRF log outs.
timWebUK wrote:Slightly off topic, but related to the thread you posted.

Is that Challenge-Response method actually good alternative to SSL... to say for example, implementing an app that people could download, install and when configuring choose SSL (if they have it) and if not, they can choose Challenge-Response?
Challenge-Response is not even an alternative to SSL. What it does is that it prevents passive network attacks. This is insufficient, but better than nothing as long as it does not give a false sense of security.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: session timeout

Post by timWebUK »

By passive network attacks you mean someone eavesdropping on the packets being sent from a client to the server?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: session timeout

Post by kaisellgren »

timWebUK wrote:By passive network attacks you mean someone eavesdropping on the packets being sent from a client to the server?
An attack that does not alter, modify or other way affect the transmission, but intercepts the packets or identifies the occurrence of messages.
rufio1717
Forum Newbie
Posts: 13
Joined: Fri Feb 12, 2010 3:56 pm

Re: session timeout

Post by rufio1717 »

Store your sessions in a table or better yet utilize Codeigniter's Sessions class
Post Reply