session time outs for a login system

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
dnk
Forum Newbie
Posts: 6
Joined: Fri Jun 27, 2008 11:23 am

session time outs for a login system

Post by dnk »

Hi there....

I am just starting to use sessions in one of my apps (PHP back-end with a flex front-end).

Now since I have a client app that navigates within itself and not php pages, I am wondering how PHP keeps its sessions alive? Meaning I would assume that in a typical PHP only environment anytime you hit a page with a "session_start" it extends the garbage collection and the time out is started over. Is this correct?

So then in my case, every time a call is made back to my server (and php) my php session would be extended... correct (since my php gateway calls a "session_start" with every other function call)?

I know this may fall outside the normal posting here as this instance also includes flex. But I am more so looking for the PHP info.

Thanks!
User avatar
dyluck
Forum Commoner
Posts: 54
Joined: Thu Jun 26, 2008 1:44 pm

Re: session time outs for a login system

Post by dyluck »

First of all I WISH I WAS YOU!!! I want to learn flex so badly!

Secondly, I would pass a cookie for time out... Sessions expiry times are server globals as far as i know. So if you decided to have your site hosted on a professional hosting service, you no longer will have control over how long your sessions are open... Unless you are good with .htaccess files. I would set a cookie to expire and then refresh the cookie time on the next page load. I would put the cookie variable as a hashed code in a database and then just pull the cookie variable, compare your cookie variable with the hashed variable in your database (for security). This way you have more control over expiry times. I would just use session variables for extra security.

Good luck!!
dnk
Forum Newbie
Posts: 6
Joined: Fri Jun 27, 2008 11:23 am

Re: session time outs for a login system

Post by dnk »

YEah, I like it a lot, and love the fact that I can use PHP with it. However my php skills are rusty. As for the .htaccess, and server stuff, I am running it myself in a data center, so i have full access to all things.
User avatar
dyluck
Forum Commoner
Posts: 54
Joined: Thu Jun 26, 2008 1:44 pm

Re: session time outs for a login system

Post by dyluck »

well if you want to set your session timeout, you need to set that on your server end.
you using apache?

I still reccomend using cookies for this though...
dnk
Forum Newbie
Posts: 6
Joined: Fri Jun 27, 2008 11:23 am

Re: session time outs for a login system

Post by dnk »

I have not used them much, so i will look into that!

Much appreciated.

d
User avatar
dyluck
Forum Commoner
Posts: 54
Joined: Thu Jun 26, 2008 1:44 pm

Re: session time outs for a login system

Post by dyluck »

no problem here is some basic cookie code.

Code: Select all

//checking for a cookie
if(!isset($_COOKIE['mycookie']))
{
return false; 
} else {  
//retreive cookie information
$cookievar = $_COOKIE['mycookie']; 
}
// seting a cookie
$expiry = 3600 + time();  // the time is in seconds your cookie expires this is set to 1 hour
$cookievar = $_GET['postvariable'];  //or whatever you want to put in your cookie (hashed random number maybe?)
$domain = '.mydomain.com';  //(change mydomain to your domain name) this allows the cookie to be read domain wide instead of just in the folder that its set.  If you do not want this, just remove the ", $domain" it from the string below.
setcookie(mycookie, $cookievar, $expiry, "/", $domain);
 
//killing a cookie
$kill = time() - 3600;  //sets the expiry to negative now.. essencially expiring the cookie instantly
setcookie(mycookie, $cookievar, $kill, "/", $domain);
 
dnk
Forum Newbie
Posts: 6
Joined: Fri Jun 27, 2008 11:23 am

Re: session time outs for a login system

Post by dnk »

ok, this looks easy enough to implement into my scripts.... now my one question is.... how do I keep the cookie from expiring if a user needs to be logged in longer than the hour? I guess just refresh the time on the cookie with each service cal lI make to the php classes.....
User avatar
dyluck
Forum Commoner
Posts: 54
Joined: Thu Jun 26, 2008 1:44 pm

Re: session time outs for a login system

Post by dyluck »

You can do it one of two ways (the second more reccomended)

1. Change the cookie time setting in seconds to whatever you want 3600 is just 1 hour but you can set it for however long you want, just change the time in seconds to be longer.

2. Figure out how long you want the person to be inactive before the cookie expires and after any page loads, call a create cookie command and set it to the expiry time you desire. This is better becasue the session will last all day if someone keeps doing stuff, otherwise it will expire in set inactivity time.

I hope you understand what I mean. Let me know if you need examples.
dnk
Forum Newbie
Posts: 6
Joined: Fri Jun 27, 2008 11:23 am

Re: session time outs for a login system

Post by dnk »

ok, I got it working pretty good for expiring the session.....

SO with my php class that is called, I can get the system to time out. I added a function to my php class that would add more time to my cookie that expires. This way when other service calls are made, I simply add this function in too, to keep my login alive. Now for some reason my cookie is always timing out on the original value.

I am sure I am missing something simple though.

All my function in my class does is something like:

Code: Select all

 
function refreshCookie() {
        //retreive cookie information
        $cookievar = $_COOKIE['thecookie'];
        // 20 seconds
        $expiry = time() + 20;
        setcookie($cookiename, $cookievar, $expiry, "/", $domain);
        $rez = "New Cookie Time is: ". $expiry;
        return $rez;
    }
 
Any ideas?

My low 20 second time is simply for testing.
crmalibu
Forum Newbie
Posts: 5
Joined: Sat Jul 05, 2008 12:53 am

Re: session time outs for a login system

Post by crmalibu »

I'd take a different approach and just use pure php sessions for this since it quite capable of it.

For starters, create a dedicated directory for php to save its session files to for this application. Tell php to use this directory by setting session.save_path(php.ini, .htaccess, or ini_set()). The reason for doing this is so that any other users on the server, or any other scripts wont have thier own session behavior interfering with this.

Set the session.gc_maxlifetime to the maximum amount of time you would want an inactive session to remain valid for. Every time session_start() is called, php reads the session file, which updates the files accesstime. php's session garbage collection is started randomly(although it can be controlled if really needed), and when it starts, it deletes all session files that have not been accessed in the last session.gc_maxlifetime seconds. Make sure it's long enough, default is only 1440.

To force a max inactive timeout, use php code.

Code: Select all

<?php
$timeout= 3600;
if (isset($_SESSION['accesstime']) && $_SESSION['accesstime'] < time() - $timeout) {
    // expired, handle it
} else {
    $_SESSION['accesstime'] = time();
}
 
dnk
Forum Newbie
Posts: 6
Joined: Fri Jun 27, 2008 11:23 am

Re: session time outs for a login system

Post by dnk »

Any advantage to doing it this way over a cookie method?

I have a cookie method working, but want to do it the "proper" way (Subject to personal preference i know).
User avatar
dyluck
Forum Commoner
Posts: 54
Joined: Thu Jun 26, 2008 1:44 pm

Re: session time outs for a login system

Post by dyluck »

Hey dnk

Don't know if you are still watching this post. Sessions as suggested below are ok... keeping a session active would work great! Here is both examples of what I think you want to accomplish:

Code: Select all

function refreshCookie() {
        //retreive cookie information
        $cookievar = $_COOKIE['thecookie'];
        // 20 seconds
        $expiry = time() + 20;
        setcookie("thecookie", $cookievar, $expiry, "/", $domain);
        $rez = "New Cookie Time is: ". $expiry;
        return $rez;
    }
Or like below: (made some changes to suit what you are doing)

Code: Select all

<?php
$timeout= 20;
if (isset($_SESSION['accesstime']) && $_SESSION['accesstime'] < time()) {
    die('your session has expired');
    // expired, handle it
} else {
    //keep alive
    $_SESSION['accesstime'] = time() + $timeout;
    echo 'Your session is still alive! for '.$timeout.' seconds';
}
Cheers
Post Reply