Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I'm trying to use session timeout to log a user out if they have been inactive for a period of time. I've been using this idea to play about with sessions and challenge response authentication. I wanted to include a facility to time out a session after say 5 minutes.
I tried adding the following to the login.php file where the session is first created. However the session never seems to time out.
There are other setting which control the session garbage collection. You also might look at session_set_cookie_params(). I personally would set a session var to the current time and then check that on each page load and if the session var time +300 is >= the current time then session_destroy().
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
You could include a timestamp within the session that you will use to compare against the current page reload time to see if the last attempt was made over 5 minutes ago.
Or you could use just set session.cookie_lifetime to 5 minutes.
// set timeout period in seconds
$inactive = 900;
// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) )
{
$session_life = time() - $_SESSION['timeout'];
if($session_life >= $inactive)
{
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
header("Location:logout.php");exit;
}
}
Slightly off topic, but related to the thread you posted.
Is that Challenge-Response method actually good alternative to SSL... to say for example, implementing an app that people could download, install and when configuring choose SSL (if they have it) and if not, they can choose Challenge-Response?
@rufio1717: FYI, your code sample is vulnerable to CSRF log outs.
timWebUK wrote:Slightly off topic, but related to the thread you posted.
Is that Challenge-Response method actually good alternative to SSL... to say for example, implementing an app that people could download, install and when configuring choose SSL (if they have it) and if not, they can choose Challenge-Response?
Challenge-Response is not even an alternative to SSL. What it does is that it prevents passive network attacks. This is insufficient, but better than nothing as long as it does not give a false sense of security.