Looong Sessions or Auto-Login?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bertfour
Forum Commoner
Posts: 45
Joined: Fri Mar 07, 2008 7:33 am

Looong Sessions or Auto-Login?

Post by bertfour »

Dear Phpeople,

I am busy with a web app, and (registered) users (may) run into a form they have to fill, and this may take some time...

Probably they will exceed "normal" session lengths, and therefore will be presented with a log-in screen after submitting the form... very frustrating ;)

What would be a good solution? Give them session lengths of, lets say, 20-30 minutes, or give them the opportunity for an auto-login?

Would there be an alternative?

If I make an auto-login, could this be secured or something?

I can just think of :

if no session : check for auto-login cookie, if so login. :)
scriptah
Forum Commoner
Posts: 27
Joined: Sat Mar 15, 2008 8:58 pm
Location: Long Island, NY

Re: Looong Sessions or Auto-Login?

Post by scriptah »

I would stick to keeping the session alive instead of taking actions for the client.
You could choose a couple of ways to do so.

1. Using .ini directives( session.gc_maxlifetime and session.cookie_lifetime ).

Code: Select all

 
ini_set( 'session.gc_maxlifetime', ( 60 * 60 * 24 ) );
ini_set( 'session.cookie_lifetime', ( 60 * 60 * 24 ) );
 
This snippet would keep the section alive for one day.
I wouldn't advise it, as keeping the session longer than it suppose to be, is the same as asking for trouble.

2. Use Client Side technologies to keep the session alive.
For example, you could embed an image into the page like this:

Code: Select all

 
<img src="http://ip/example.jpg" id="session_life" />
 
And set a Javascript function to be called every 60 seconds to reload the image.

Code: Select all

 
function keepSessionAlive( image_id ) {
    var obj = document.getElementById( image_id );
    if( obj ) {
        obj.src = obj.src.toString().replace( /\?.*$/, '?' + Math.random( ) );
    }
}
 
var interval_id = window.setInterval( "keepSessionAlive( 'session_life' )", 60000 );
 
devbro
Forum Newbie
Posts: 7
Joined: Tue Mar 18, 2008 11:46 am

Re: Looong Sessions or Auto-Login?

Post by devbro »

if you allow for auto-login to be cross session then you can use a db in your database that tracks all users and their session ID.

if session ID exists but not the session then create a session for them.

if you are gonna do this make sure to use an IP filtering and nslookup to make sure the people are who they say they are.
bertfour
Forum Commoner
Posts: 45
Joined: Fri Mar 07, 2008 7:33 am

Re: Looong Sessions or Auto-Login?

Post by bertfour »

Yo Devbro,

thanks.

IP filtering and NSlookup.....

<scratches head>
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Re: Looong Sessions or Auto-Login?

Post by Sequalit »

soooo easy to hi-jack an IP...

I would opt for the reloading of the image, since that would keep the session alive...

or use ajax in the form to update the data as its being typed? So in the event of a browser crash, they can come back to it. store it in a temp table taht looks exactly like the real table, to keep things seperate (or add a new column that says if its a draft or the real thing)
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Looong Sessions or Auto-Login?

Post by Mordred »

Sequalit wrote:soooo easy to hi-jack an IP...
Please, Sequalit, tell us how you would do that.
User avatar
mchaggis
Forum Contributor
Posts: 150
Joined: Mon Mar 24, 2003 10:31 am
Location: UK

Re: Looong Sessions or Auto-Login?

Post by mchaggis »

For someone to use IP Spoofing to get into your site, they will be wanting what you are trying to protect pretty badly. It is easy, but not really one for the script kiddies that are common place these days.

The reason for not relying on the end users IP address is that shared IP addresses are common these days, think about a small company that access the internet via broadband, as far as your script is concerns every different machine you access the script from on that network will have the same IP address.

Using javascript create a heart beat to keep the session alive is far safer. These days you don't even have to use an image, you could use AJAX to call a remote script which all it does is say that the session is valid, prior to AJAX I've used hidden iframes that auto refresh.

Yet another option is that when they post the data and you discover that their session has expired, you could save all data that they have just submited and after they re-login, simulate the post, although that would require a lot more effort.
Post Reply