Page 1 of 1

[SOLVED] PHP Sessions Expiring

Posted: Mon Feb 07, 2005 12:55 pm
by drgnjucr
I'm trying to set my session cookies to expire in 15 minutes. Can anyone help me configure my php.ini file to ensure that my session cookies expire at the time I specifiy?

Code: Select all

; Lifetime in seconds of cookie or, if 0, until browser is restarted.
session.cookie_lifetime = 900
Above is what I changed? Is this correct? I login to my secure area, and wait 15 mins. Nothing times out. I am still logged in. I even try to close, and repoen my browser.. still, I have access when I should not.

I also turned the auto_start off...

Code: Select all

; Initialize session on request startup.
session.auto_start = 0
Can anyone help me out here?

Thanks so much in advance.

Posted: Mon Feb 07, 2005 1:03 pm
by feyd
Check to ensure the cookie came across like you expect. Browsers aren't required to delete the cookie at the time it was specified to expire. You may need to supplement this with a possibly more reliable php way, like the "who's online" functionality we've talked about gobs of times.

Posted: Mon Feb 07, 2005 1:09 pm
by drgnjucr
** UPDATE **

Actually, each time I visit the page the cookie gets reset to another 15 mins??



As far as the cookie being as expected.. it's just the session cookie generated by PHP. It's not a cookie I've written manually.
Using Firefox I am able to view the cookie it's contents just fine. What I can see is that the cookie shows up and has an expire time of 15 mins (900 secs) beyond the login time. Once that time is met and I check the cookie again, the time is reset to another 15mins?

Posted: Mon Feb 07, 2005 1:11 pm
by feyd
if you refresh the page, or any page/request that uses the session, the time to expire will refresh, provided the session cookie is passed to the server.. which is entirely up to the browser.

Posted: Mon Feb 07, 2005 1:13 pm
by drgnjucr
HHMM...

So what is the most effective way to expire a session?

Posted: Mon Feb 07, 2005 1:16 pm
by drgnjucr
Well, so actually, as long as a user is active they remain logged in because the session keeps an "idle" timer..sort of speak.
So, if someone gets the page and leaves it for the 15 mins and attemps to return, they will be required to login again? Right?
Now, if they login leave the page, and request that secure page again before the 15 mins..they will still be granted access?

Posted: Mon Feb 07, 2005 1:22 pm
by feyd
provided their browser did not delete the cookie when they left, it should still work, yes.

Posted: Mon Feb 07, 2005 2:33 pm
by drgnjucr
Yeah, I see it now. I guess I was not misunderstanding as to how session cookies in PHP.

This thread is resolved now that I understand how they (session cookies) work -
Well, so actually, as long as a user is active they remain logged in because the session keeps an "idle" timer..sort of speak.
So, if someone gets the page and leaves it for the 15 mins and attemps to return, they will be required to login again? Right?
Now, if they login leave the page, and request that secure page again before the 15 mins..they will still be granted access?

THANKS!