Session Timeout

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Session Timeout

Post by sparky753 »

How do I set a session timeout in PHP? Some people suggested changing the 'session.gc_maxlifetime' variable in the 'php.ini' file. The value of that variable in my php.ini file is 1440, which is 24 minutes but the sessions on my website don't time out for days unless i log off.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

How are you managing your sessions? Specifically, logins and logouts.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The suggest that we provide is to not mess with the internal settings and instead use a timestamp stored in the session data itself.
sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Post by sparky753 »

this is how i have it set up - as soon as the user logs in, the following lines of code are run. Then on every page that uses this session, I have the session_start() line at the top.

Code: Select all

<?php
$session['id']=session_id();
$_SESSION['username']=$_POST['username'];
$_SESSION['first_name']=$rec['first_name']
?>
I agree with you - I would also prefer not to mess with the php.ini file settings and the garbage collection mechanism. Thanks...
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

I'm not sure I see the point of storing the session ID in the session it's associated with.
sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Post by sparky753 »

To be perfectly honest with you, i'm not certain what that line of code does. I think I got this from snippet of code from some book...what do you suggest then?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

sparky753 wrote:To be perfectly honest with you, i'm not certain what that line of code does.
Since this is the security forum: Why are you using code when you're not certain what it does?
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

feyd wrote:I'm not sure I see the point of storing the session ID in the session it's associated with.
that's funny... i did that for some reason when I started with sessions as well. I have no idea why. :?: :roll: :D
sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Post by sparky753 »

Lol...we probably used the same resource. Gosh! Why is session handling, especially in regards to timeouts, such a hassle in PHP?
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Session handling is a snap when you know how it works. By its very nature, a PHP Session has a unique id that is created by PHP when the session is created. That ID is available throughout the session.
sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Post by sparky753 »

I've got my sessions to work throughout the site. If i can only get it to timeout now...
User avatar
theFool
Forum Newbie
Posts: 17
Joined: Thu Oct 26, 2006 2:00 am
Location: Berlin, DE

Post by theFool »

How often is the script called in a certain amount of time ?
By default, garbage collection only deletes void sessions with a possibility of 1 every 100 script calles. Maybe your session data was not erased when you opened the site again.
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

Very simple solution, as feyd already pointed out: as soon as the user is authenticated and "logs in", store the timestamp (accessible via time) as a session variable (this represents the time the user logged in). On every page, calculate how long the user has been logged in, and if this is longer than xxx seconds, kill the session and forward to the login page.
sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Post by sparky753 »

I don't if I'm doing this right - I have the following lines of code that are run when a user logs in successfully:

Code: Select all

<?php
$_SESSION['username']=$_POST['username'];
$_SESSION['first_name']=$rec['first_name'];
$_SESSION['time']=time();
$_SESSION['timeout']=time()+300;
?>
Then, on each page, I check

Code: Select all

if ($_SESSION['time']==$_SESSION['timeout'])
If this condition is true, it should log out and redirect to the login page, otherwise the user can continue to remain on the page. But it doesn't seem to work...
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Code: Select all

<?php
session_start();
$session_gap = 600; // Ten minutes

if (time() - $_SESSION['time'] > $session_gap)
{
    // it has been more than 10 minutes, kick them out
}
else
{
    // It has not been more than 10 minutes, update their session time
    $_SESSION['time'] = time();
}
?>
Post Reply