[SOLVED] PHP Sessions Expiring

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
drgnjucr
Forum Commoner
Posts: 30
Joined: Thu Jan 27, 2005 3:06 pm
Location: NJ
Contact:

[SOLVED] PHP Sessions Expiring

Post by drgnjucr »

I'm trying to set my session cookies to expire in 15 minutes. Can anyone help me configure my php.ini file to ensure that my session cookies expire at the time I specifiy?

Code: Select all

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 900
Above is what I changed? Is this correct? I login to my secure area, and wait 15 mins. Nothing times out. I am still logged in. I even try to close, and repoen my browser.. still, I have access when I should not.

I also turned the auto_start off...

Code: Select all

; Initialize session on request startup.
session.auto_start = 0
Can anyone help me out here?

Thanks so much in advance.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Check to ensure the cookie came across like you expect. Browsers aren't required to delete the cookie at the time it was specified to expire. You may need to supplement this with a possibly more reliable php way, like the "who's online" functionality we've talked about gobs of times.
drgnjucr
Forum Commoner
Posts: 30
Joined: Thu Jan 27, 2005 3:06 pm
Location: NJ
Contact:

Post by drgnjucr »

** UPDATE **

Actually, each time I visit the page the cookie gets reset to another 15 mins??



As far as the cookie being as expected.. it's just the session cookie generated by PHP. It's not a cookie I've written manually.
Using Firefox I am able to view the cookie it's contents just fine. What I can see is that the cookie shows up and has an expire time of 15 mins (900 secs) beyond the login time. Once that time is met and I check the cookie again, the time is reset to another 15mins?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

if you refresh the page, or any page/request that uses the session, the time to expire will refresh, provided the session cookie is passed to the server.. which is entirely up to the browser.
drgnjucr
Forum Commoner
Posts: 30
Joined: Thu Jan 27, 2005 3:06 pm
Location: NJ
Contact:

Post by drgnjucr »

HHMM...

So what is the most effective way to expire a session?
drgnjucr
Forum Commoner
Posts: 30
Joined: Thu Jan 27, 2005 3:06 pm
Location: NJ
Contact:

Post by drgnjucr »

Well, so actually, as long as a user is active they remain logged in because the session keeps an "idle" timer..sort of speak.
So, if someone gets the page and leaves it for the 15 mins and attemps to return, they will be required to login again? Right?
Now, if they login leave the page, and request that secure page again before the 15 mins..they will still be granted access?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

provided their browser did not delete the cookie when they left, it should still work, yes.
drgnjucr
Forum Commoner
Posts: 30
Joined: Thu Jan 27, 2005 3:06 pm
Location: NJ
Contact:

Post by drgnjucr »

Yeah, I see it now. I guess I was not misunderstanding as to how session cookies in PHP.

This thread is resolved now that I understand how they (session cookies) work -
Well, so actually, as long as a user is active they remain logged in because the session keeps an "idle" timer..sort of speak.
So, if someone gets the page and leaves it for the 15 mins and attemps to return, they will be required to login again? Right?
Now, if they login leave the page, and request that secure page again before the 15 mins..they will still be granted access?

THANKS!
Post Reply