Page 1 of 1

Looong Sessions or Auto-Login?

Posted: Sat Mar 15, 2008 6:13 pm
by bertfour
Dear Phpeople,

I am busy with a web app, and (registered) users (may) run into a form they have to fill, and this may take some time...

Probably they will exceed "normal" session lengths, and therefore will be presented with a log-in screen after submitting the form... very frustrating ;)

What would be a good solution? Give them session lengths of, lets say, 20-30 minutes, or give them the opportunity for an auto-login?

Would there be an alternative?

If I make an auto-login, could this be secured or something?

I can just think of :

if no session : check for auto-login cookie, if so login. :)

Re: Looong Sessions or Auto-Login?

Posted: Sun Mar 16, 2008 1:09 am
by scriptah
I would stick to keeping the session alive instead of taking actions for the client.
You could choose a couple of ways to do so.

1. Using .ini directives( session.gc_maxlifetime and session.cookie_lifetime ).

Code: Select all

 
ini_set( 'session.gc_maxlifetime', ( 60 * 60 * 24 ) );
ini_set( 'session.cookie_lifetime', ( 60 * 60 * 24 ) );
 
This snippet would keep the section alive for one day.
I wouldn't advise it, as keeping the session longer than it suppose to be, is the same as asking for trouble.

2. Use Client Side technologies to keep the session alive.
For example, you could embed an image into the page like this:

Code: Select all

 
<img src="http://ip/example.jpg" id="session_life" />
 
And set a Javascript function to be called every 60 seconds to reload the image.

Code: Select all

 
function keepSessionAlive( image_id ) {
    var obj = document.getElementById( image_id );
    if( obj ) {
        obj.src = obj.src.toString().replace( /\?.*$/, '?' + Math.random( ) );
    }
}
 
var interval_id = window.setInterval( "keepSessionAlive( 'session_life' )", 60000 );
 

Re: Looong Sessions or Auto-Login?

Posted: Tue Mar 18, 2008 11:57 am
by devbro
if you allow for auto-login to be cross session then you can use a db in your database that tracks all users and their session ID.

if session ID exists but not the session then create a session for them.

if you are gonna do this make sure to use an IP filtering and nslookup to make sure the people are who they say they are.

Re: Looong Sessions or Auto-Login?

Posted: Tue Mar 18, 2008 1:09 pm
by bertfour
Yo Devbro,

thanks.

IP filtering and NSlookup.....

<scratches head>

Re: Looong Sessions or Auto-Login?

Posted: Thu Mar 27, 2008 6:21 pm
by Sequalit
soooo easy to hi-jack an IP...

I would opt for the reloading of the image, since that would keep the session alive...

or use ajax in the form to update the data as its being typed? So in the event of a browser crash, they can come back to it. store it in a temp table taht looks exactly like the real table, to keep things seperate (or add a new column that says if its a draft or the real thing)

Re: Looong Sessions or Auto-Login?

Posted: Fri Mar 28, 2008 2:04 am
by Mordred
Sequalit wrote:soooo easy to hi-jack an IP...
Please, Sequalit, tell us how you would do that.

Re: Looong Sessions or Auto-Login?

Posted: Fri Mar 28, 2008 8:29 am
by mchaggis
For someone to use IP Spoofing to get into your site, they will be wanting what you are trying to protect pretty badly. It is easy, but not really one for the script kiddies that are common place these days.

The reason for not relying on the end users IP address is that shared IP addresses are common these days, think about a small company that access the internet via broadband, as far as your script is concerns every different machine you access the script from on that network will have the same IP address.

Using javascript create a heart beat to keep the session alive is far safer. These days you don't even have to use an image, you could use AJAX to call a remote script which all it does is say that the session is valid, prior to AJAX I've used hidden iframes that auto refresh.

Yet another option is that when they post the data and you discover that their session has expired, you could save all data that they have just submited and after they re-login, simulate the post, although that would require a lot more effort.