Page 1 of 1

session timeout

Posted: Sat Dec 19, 2009 9:50 am
by scatty1985
Hi,

I'm trying to use session timeout to log a user out if they have been inactive for a period of time. I've been using this idea to play about with sessions and challenge response authentication. I wanted to include a facility to time out a session after say 5 minutes.

I tried adding the following to the login.php file where the session is first created. However the session never seems to time out.

Code: Select all

<?
ini_set('session.gc_maxlifetime', 30); // Session lifetime
session_start();
....
?>
Can anyone offer any help as to what I'm doing wrong?

Thanks!

Re: session timeout

Posted: Sat Dec 19, 2009 11:42 am
by AbraCadaver
There are other setting which control the session garbage collection. You also might look at session_set_cookie_params(). I personally would set a session var to the current time and then check that on each page load and if the session var time +300 is >= the current time then session_destroy().

Re: session timeout

Posted: Sun Dec 20, 2009 5:08 am
by kaisellgren
You could include a timestamp within the session that you will use to compare against the current page reload time to see if the last attempt was made over 5 minutes ago.

Or you could use just set session.cookie_lifetime to 5 minutes.

Re: session timeout

Posted: Fri Feb 12, 2010 8:47 pm
by rufio1717
Put this on the top of every page

Code: Select all

// set timeout period in seconds
$inactive = 900;
// check to see if $_SESSION['timeout'] is set
    if(isset($_SESSION['timeout']) ) 
    {
        $session_life = time() - $_SESSION['timeout'];
        if($session_life >= $inactive)
        {
        // Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
    $params = session_get_cookie_params();
    setcookie(session_name(), '', time() - 42000,
        $params["path"], $params["domain"],
        $params["secure"], $params["httponly"]
    );
}
 
// Finally, destroy the session.
session_destroy();
header("Location:logout.php");exit;
        }
    }

Re: session timeout

Posted: Sat Feb 13, 2010 7:42 am
by timWebUK
Slightly off topic, but related to the thread you posted.

Is that Challenge-Response method actually good alternative to SSL... to say for example, implementing an app that people could download, install and when configuring choose SSL (if they have it) and if not, they can choose Challenge-Response?

Re: session timeout

Posted: Tue Feb 16, 2010 4:35 am
by kaisellgren
@rufio1717: FYI, your code sample is vulnerable to CSRF log outs.
timWebUK wrote:Slightly off topic, but related to the thread you posted.

Is that Challenge-Response method actually good alternative to SSL... to say for example, implementing an app that people could download, install and when configuring choose SSL (if they have it) and if not, they can choose Challenge-Response?
Challenge-Response is not even an alternative to SSL. What it does is that it prevents passive network attacks. This is insufficient, but better than nothing as long as it does not give a false sense of security.

Re: session timeout

Posted: Tue Feb 16, 2010 5:20 am
by timWebUK
By passive network attacks you mean someone eavesdropping on the packets being sent from a client to the server?

Re: session timeout

Posted: Wed Feb 17, 2010 1:26 am
by kaisellgren
timWebUK wrote:By passive network attacks you mean someone eavesdropping on the packets being sent from a client to the server?
An attack that does not alter, modify or other way affect the transmission, but intercepts the packets or identifies the occurrence of messages.

Re: session timeout

Posted: Tue Jun 29, 2010 10:45 pm
by rufio1717
Store your sessions in a table or better yet utilize Codeigniter's Sessions class