Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
I'm trying to set my session cookies to expire in 15 minutes. Can anyone help me configure my php.ini file to ensure that my session cookies expire at the time I specifiy?
; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 900
Above is what I changed? Is this correct? I login to my secure area, and wait 15 mins. Nothing times out. I am still logged in. I even try to close, and repoen my browser.. still, I have access when I should not.
Check to ensure the cookie came across like you expect. Browsers aren't required to delete the cookie at the time it was specified to expire. You may need to supplement this with a possibly more reliable php way, like the "who's online" functionality we've talked about gobs of times.
Actually, each time I visit the page the cookie gets reset to another 15 mins??
As far as the cookie being as expected.. it's just the session cookie generated by PHP. It's not a cookie I've written manually.
Using Firefox I am able to view the cookie it's contents just fine. What I can see is that the cookie shows up and has an expire time of 15 mins (900 secs) beyond the login time. Once that time is met and I check the cookie again, the time is reset to another 15mins?
if you refresh the page, or any page/request that uses the session, the time to expire will refresh, provided the session cookie is passed to the server.. which is entirely up to the browser.
Well, so actually, as long as a user is active they remain logged in because the session keeps an "idle" timer..sort of speak.
So, if someone gets the page and leaves it for the 15 mins and attemps to return, they will be required to login again? Right?
Now, if they login leave the page, and request that secure page again before the 15 mins..they will still be granted access?
Yeah, I see it now. I guess I was not misunderstanding as to how session cookies in PHP.
This thread is resolved now that I understand how they (session cookies) work -
Well, so actually, as long as a user is active they remain logged in because the session keeps an "idle" timer..sort of speak.
So, if someone gets the page and leaves it for the 15 mins and attemps to return, they will be required to login again? Right?
Now, if they login leave the page, and request that secure page again before the 15 mins..they will still be granted access?