session time outs for a login system
Moderator: General Moderators
session time outs for a login system
Hi there....
I am just starting to use sessions in one of my apps (PHP back-end with a flex front-end).
Now since I have a client app that navigates within itself and not php pages, I am wondering how PHP keeps its sessions alive? Meaning I would assume that in a typical PHP only environment anytime you hit a page with a "session_start" it extends the garbage collection and the time out is started over. Is this correct?
So then in my case, every time a call is made back to my server (and php) my php session would be extended... correct (since my php gateway calls a "session_start" with every other function call)?
I know this may fall outside the normal posting here as this instance also includes flex. But I am more so looking for the PHP info.
Thanks!
I am just starting to use sessions in one of my apps (PHP back-end with a flex front-end).
Now since I have a client app that navigates within itself and not php pages, I am wondering how PHP keeps its sessions alive? Meaning I would assume that in a typical PHP only environment anytime you hit a page with a "session_start" it extends the garbage collection and the time out is started over. Is this correct?
So then in my case, every time a call is made back to my server (and php) my php session would be extended... correct (since my php gateway calls a "session_start" with every other function call)?
I know this may fall outside the normal posting here as this instance also includes flex. But I am more so looking for the PHP info.
Thanks!
Re: session time outs for a login system
First of all I WISH I WAS YOU!!! I want to learn flex so badly!
Secondly, I would pass a cookie for time out... Sessions expiry times are server globals as far as i know. So if you decided to have your site hosted on a professional hosting service, you no longer will have control over how long your sessions are open... Unless you are good with .htaccess files. I would set a cookie to expire and then refresh the cookie time on the next page load. I would put the cookie variable as a hashed code in a database and then just pull the cookie variable, compare your cookie variable with the hashed variable in your database (for security). This way you have more control over expiry times. I would just use session variables for extra security.
Good luck!!
Secondly, I would pass a cookie for time out... Sessions expiry times are server globals as far as i know. So if you decided to have your site hosted on a professional hosting service, you no longer will have control over how long your sessions are open... Unless you are good with .htaccess files. I would set a cookie to expire and then refresh the cookie time on the next page load. I would put the cookie variable as a hashed code in a database and then just pull the cookie variable, compare your cookie variable with the hashed variable in your database (for security). This way you have more control over expiry times. I would just use session variables for extra security.
Good luck!!
Re: session time outs for a login system
YEah, I like it a lot, and love the fact that I can use PHP with it. However my php skills are rusty. As for the .htaccess, and server stuff, I am running it myself in a data center, so i have full access to all things.
Re: session time outs for a login system
well if you want to set your session timeout, you need to set that on your server end.
you using apache?
I still reccomend using cookies for this though...
you using apache?
I still reccomend using cookies for this though...
Re: session time outs for a login system
I have not used them much, so i will look into that!
Much appreciated.
d
Much appreciated.
d
Re: session time outs for a login system
no problem here is some basic cookie code.
Code: Select all
//checking for a cookie
if(!isset($_COOKIE['mycookie']))
{
return false;
} else {
//retreive cookie information
$cookievar = $_COOKIE['mycookie'];
}
// seting a cookie
$expiry = 3600 + time(); // the time is in seconds your cookie expires this is set to 1 hour
$cookievar = $_GET['postvariable']; //or whatever you want to put in your cookie (hashed random number maybe?)
$domain = '.mydomain.com'; //(change mydomain to your domain name) this allows the cookie to be read domain wide instead of just in the folder that its set. If you do not want this, just remove the ", $domain" it from the string below.
setcookie(mycookie, $cookievar, $expiry, "/", $domain);
//killing a cookie
$kill = time() - 3600; //sets the expiry to negative now.. essencially expiring the cookie instantly
setcookie(mycookie, $cookievar, $kill, "/", $domain);
Re: session time outs for a login system
ok, this looks easy enough to implement into my scripts.... now my one question is.... how do I keep the cookie from expiring if a user needs to be logged in longer than the hour? I guess just refresh the time on the cookie with each service cal lI make to the php classes.....
Re: session time outs for a login system
You can do it one of two ways (the second more reccomended)
1. Change the cookie time setting in seconds to whatever you want 3600 is just 1 hour but you can set it for however long you want, just change the time in seconds to be longer.
2. Figure out how long you want the person to be inactive before the cookie expires and after any page loads, call a create cookie command and set it to the expiry time you desire. This is better becasue the session will last all day if someone keeps doing stuff, otherwise it will expire in set inactivity time.
I hope you understand what I mean. Let me know if you need examples.
1. Change the cookie time setting in seconds to whatever you want 3600 is just 1 hour but you can set it for however long you want, just change the time in seconds to be longer.
2. Figure out how long you want the person to be inactive before the cookie expires and after any page loads, call a create cookie command and set it to the expiry time you desire. This is better becasue the session will last all day if someone keeps doing stuff, otherwise it will expire in set inactivity time.
I hope you understand what I mean. Let me know if you need examples.
Re: session time outs for a login system
ok, I got it working pretty good for expiring the session.....
SO with my php class that is called, I can get the system to time out. I added a function to my php class that would add more time to my cookie that expires. This way when other service calls are made, I simply add this function in too, to keep my login alive. Now for some reason my cookie is always timing out on the original value.
I am sure I am missing something simple though.
All my function in my class does is something like:
Any ideas?
My low 20 second time is simply for testing.
SO with my php class that is called, I can get the system to time out. I added a function to my php class that would add more time to my cookie that expires. This way when other service calls are made, I simply add this function in too, to keep my login alive. Now for some reason my cookie is always timing out on the original value.
I am sure I am missing something simple though.
All my function in my class does is something like:
Code: Select all
function refreshCookie() {
//retreive cookie information
$cookievar = $_COOKIE['thecookie'];
// 20 seconds
$expiry = time() + 20;
setcookie($cookiename, $cookievar, $expiry, "/", $domain);
$rez = "New Cookie Time is: ". $expiry;
return $rez;
}
My low 20 second time is simply for testing.
Re: session time outs for a login system
I'd take a different approach and just use pure php sessions for this since it quite capable of it.
For starters, create a dedicated directory for php to save its session files to for this application. Tell php to use this directory by setting session.save_path(php.ini, .htaccess, or ini_set()). The reason for doing this is so that any other users on the server, or any other scripts wont have thier own session behavior interfering with this.
Set the session.gc_maxlifetime to the maximum amount of time you would want an inactive session to remain valid for. Every time session_start() is called, php reads the session file, which updates the files accesstime. php's session garbage collection is started randomly(although it can be controlled if really needed), and when it starts, it deletes all session files that have not been accessed in the last session.gc_maxlifetime seconds. Make sure it's long enough, default is only 1440.
To force a max inactive timeout, use php code.
For starters, create a dedicated directory for php to save its session files to for this application. Tell php to use this directory by setting session.save_path(php.ini, .htaccess, or ini_set()). The reason for doing this is so that any other users on the server, or any other scripts wont have thier own session behavior interfering with this.
Set the session.gc_maxlifetime to the maximum amount of time you would want an inactive session to remain valid for. Every time session_start() is called, php reads the session file, which updates the files accesstime. php's session garbage collection is started randomly(although it can be controlled if really needed), and when it starts, it deletes all session files that have not been accessed in the last session.gc_maxlifetime seconds. Make sure it's long enough, default is only 1440.
To force a max inactive timeout, use php code.
Code: Select all
<?php
$timeout= 3600;
if (isset($_SESSION['accesstime']) && $_SESSION['accesstime'] < time() - $timeout) {
// expired, handle it
} else {
$_SESSION['accesstime'] = time();
}
Re: session time outs for a login system
Any advantage to doing it this way over a cookie method?
I have a cookie method working, but want to do it the "proper" way (Subject to personal preference i know).
I have a cookie method working, but want to do it the "proper" way (Subject to personal preference i know).
Re: session time outs for a login system
Hey dnk
Don't know if you are still watching this post. Sessions as suggested below are ok... keeping a session active would work great! Here is both examples of what I think you want to accomplish:
Or like below: (made some changes to suit what you are doing)
Cheers
Don't know if you are still watching this post. Sessions as suggested below are ok... keeping a session active would work great! Here is both examples of what I think you want to accomplish:
Code: Select all
function refreshCookie() {
//retreive cookie information
$cookievar = $_COOKIE['thecookie'];
// 20 seconds
$expiry = time() + 20;
setcookie("thecookie", $cookievar, $expiry, "/", $domain);
$rez = "New Cookie Time is: ". $expiry;
return $rez;
}Code: Select all
<?php
$timeout= 20;
if (isset($_SESSION['accesstime']) && $_SESSION['accesstime'] < time()) {
die('your session has expired');
// expired, handle it
} else {
//keep alive
$_SESSION['accesstime'] = time() + $timeout;
echo 'Your session is still alive! for '.$timeout.' seconds';
}