Session Timeout

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

sparky753
Forum Commoner
Posts: 51
Joined: Fri Nov 03, 2006 10:39 am

Post by sparky753 »

I've got it to work I set the timeout value as a session variable

Code: Select all

$_SESSION['timeout']=time()+30;
But on the welcome page, I did this :

Code: Select all

$timenow = time();

if ($timenow>$timeout)
{ 
    session_unset();
    session_destroy();
	
	print "not logged in";
	
    print "<script>";
    print " self.location='login.php';"; 
    print "</script>";
}
else
{ 
    print "logged in";
	echo "Current Time".$timenow."\n";
	echo "Timeout". $timeout."\n";

---rest of the page---
This way, when i logged in successfully, i could see the current time and the timeout time. On refreshing the page repeatedly, i could see the current time increasing by seconds and when it reached the timeout time, the session was unset and i got logged out.

thanks for your help, y'all
User avatar
aaronhall
DevNet Resident
Posts: 1040
Joined: Tue Aug 13, 2002 5:10 pm
Location: Back in Phoenix, missing the microbrews
Contact:

Post by aaronhall »

You can use header("Location: http://www.mysite.com/login.php") as a more reliable alternative to JS
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Just make sure to call header() before any output is sent to the browser or you will get 'Headers already sent' warning.
hstraf
Forum Newbie
Posts: 1
Joined: Fri Nov 24, 2006 7:22 am

Post by hstraf »

Hello,

I was just wonderinf it it's possible to do the opposite. Is it possible to "extend" a session indefinately?

(ie: I have an "edit form" and sometimes the users take maybe an hour to do their edit. But the problem is that the php session times out after 24 minutes, and so they lose their changes and get upset. Is it possible to keep the session "alive" until they are done?)

Thanks for any advice.
User avatar
theFool
Forum Newbie
Posts: 17
Joined: Thu Oct 26, 2006 2:00 am
Location: Berlin, DE

Post by theFool »

You can change the value of the gc.maxlifetime in the script.
I am a bit lazy today,so I just copy-paste a comment from http://www.php.net/manual/de/function.s ... expire.php

Code: Select all

info at ericbontenbal dot nl
08-Aug-2006 12:34
you can change the max lifetime for a session with the function ini_set().

<?php
ini_set("session.gc_maxlifetime", "18000");
?>
This will set the max lifetime of the script to 5 hours. You have to use this in every script that you want to change the default lifetime for.

if you want to know the lifetime of your current script, you can use:

<?php
echo ini_get("session.gc_maxlifetime");
?>
Don't forget to change the time value, as 5 hours might be pretty long.
Post Reply