Page 1 of 2
Session Timeout
Posted: Sat Nov 11, 2006 8:45 am
by sparky753
How do I set a session timeout in PHP? Some people suggested changing the 'session.gc_maxlifetime' variable in the 'php.ini' file. The value of that variable in my php.ini file is 1440, which is 24 minutes but the sessions on my website don't time out for days unless i log off.
Posted: Sat Nov 11, 2006 8:58 am
by RobertGonzalez
How are you managing your sessions? Specifically, logins and logouts.
Posted: Sat Nov 11, 2006 9:05 am
by feyd
The suggest that we provide is to not mess with the internal settings and instead use a timestamp stored in the session data itself.
Posted: Mon Nov 13, 2006 9:44 am
by sparky753
this is how i have it set up - as soon as the user logs in, the following lines of code are run. Then on every page that uses this session, I have the session_start() line at the top.
Code: Select all
<?php
$session['id']=session_id();
$_SESSION['username']=$_POST['username'];
$_SESSION['first_name']=$rec['first_name']
?>
I agree with you - I would also prefer not to mess with the php.ini file settings and the garbage collection mechanism. Thanks...
Posted: Mon Nov 13, 2006 2:39 pm
by feyd
I'm not sure I see the point of storing the session ID in the session it's associated with.
Posted: Tue Nov 14, 2006 1:29 pm
by sparky753
To be perfectly honest with you, i'm not certain what that line of code does. I think I got this from snippet of code from some book...what do you suggest then?
Posted: Tue Nov 14, 2006 1:58 pm
by timvw
sparky753 wrote:To be perfectly honest with you, i'm not certain what that line of code does.
Since this is the security forum: Why are you using code when you're not certain what it does?
Posted: Tue Nov 14, 2006 2:04 pm
by Luke
feyd wrote:I'm not sure I see the point of storing the session ID in the session it's associated with.
that's funny... i did that for some reason when I started with sessions as well. I have no idea why.

Posted: Tue Nov 14, 2006 2:24 pm
by sparky753
Lol...we probably used the same resource. Gosh! Why is session handling, especially in regards to timeouts, such a hassle in PHP?
Posted: Tue Nov 14, 2006 2:25 pm
by RobertGonzalez
Session handling is a snap when you know how it works. By its very nature, a PHP Session has a unique id that is created by PHP when the session is created. That ID is available throughout the session.
Posted: Wed Nov 15, 2006 12:08 pm
by sparky753
I've got my sessions to work throughout the site. If i can only get it to timeout now...
Posted: Thu Nov 16, 2006 1:34 am
by theFool
How often is the script called in a certain amount of time ?
By default, garbage collection only deletes void sessions with a possibility of 1 every 100 script calles. Maybe your session data was not erased when you opened the site again.
Posted: Thu Nov 16, 2006 5:25 am
by aaronhall
Very simple solution, as feyd already pointed out: as soon as the user is authenticated and "logs in", store the timestamp (accessible via
time) as a session variable (this represents the time the user logged in). On every page, calculate how long the user has been logged in, and if this is longer than xxx seconds, kill the session and forward to the login page.
Posted: Thu Nov 16, 2006 10:39 am
by sparky753
I don't if I'm doing this right - I have the following lines of code that are run when a user logs in successfully:
Code: Select all
<?php
$_SESSION['username']=$_POST['username'];
$_SESSION['first_name']=$rec['first_name'];
$_SESSION['time']=time();
$_SESSION['timeout']=time()+300;
?>
Then, on each page, I check
Code: Select all
if ($_SESSION['time']==$_SESSION['timeout'])
If this condition is true, it should log out and redirect to the login page, otherwise the user can continue to remain on the page. But it doesn't seem to work...
Posted: Thu Nov 16, 2006 11:43 am
by RobertGonzalez
Code: Select all
<?php
session_start();
$session_gap = 600; // Ten minutes
if (time() - $_SESSION['time'] > $session_gap)
{
// it has been more than 10 minutes, kick them out
}
else
{
// It has not been more than 10 minutes, update their session time
$_SESSION['time'] = time();
}
?>