| Re: sessions timeout [message #176407 is a reply to message #176406] |
Wed, 04 January 2012 04:23   |
gordonb.bqidf
Messages: 1
Registered: January 2012
Karma:
|
Junior Member |
|
|
> I am on a shared server so I have no control over the settings.
>
> Is there a way for me to set a "timeout" for sessions?
>
> I am working on some scripts (logged in as a test user) and had been
> away from it for a few hours. The tabs (this is Opera browser) were
> closed, but not the browser.
>
> When I went back to the page it still had me logged in.
> Obviously the server session cookies are set to clear when the browser
> closes.
The server cannot tell when the browser closes. Some browsers
delete some cookies when the browser closes, but you cannot depend
on this happening, and the user may have control over the behavior,
overriding what the cookie spec might say.
Some browsers are also rather lax about cookie expiration times.
They might check once a day (or perhaps once every browser version
upgrade) or when the browser closes, whichever is less often. I
think browsers reliably keep the cookie *AT LEAST* as long as the
cookie expiration date/time (barring problems like the browser and
server clocks being very different) but they may keep it too long.
> Is there a way for me to have some control over this and set a time
> limit so after a reasonable amount of time the session cookie clears?
I'm assuming your pages are already set up to use sessions (calling
session_start() ) and have a way to let the user log in.
When a user logs in successfully, set $_SESSION['timestamp'] to time().
If a user unsuccessfully tries to log in, you might want to unset
$_SESSION['timestamp'].
On every page where a user needs to be logged in to see the page,
do your normal login checks, and then check that
$_SESSION['timestamp'] is set and
$_SESSION['timestamp'] + ($hour_limit*60*60) > time() .
($hour_limit is the time limit. It can be different for different
pages, but that is probably confusing and not particularly useful.)
If not, the session has expired, redirect the user to the login
page. If so, show them the page. If you wish to extend the allowed
time for the session (generally, I believe it makes much more sense
to set a time limit from the time of the *latest* hit, not the time
limit from the *first* hit, especially if your concern is the person
who walks away from the computer leaving the browser open), set
$_SESSION['timestamp'] to time() again (after the test for expiration).
There is nothing special about the variable $_SESSION['timestamp'].
Any variable in $_SESSION[] will do. If you have several sections
of your web site that independently require a user to log in (perhaps
using different lists of valid users, and different login pages),
you might want to use a different timestamp variable for each
section.
Unlike the "lazy session expiration" used by built-in PHP session
timeout parameters, this method will time out the session at the
correct time down to the second. It does not depend on any code
being executed at the time of the expiration (and will work fine
if the web site is down at the time). Note, however, that if the
built-in PHP session stuff (which uses parameters you often can't
change on hosted sites) times out the session earlier than you
want it, $_SESSION[] restarts empty, and you cannot *lengthen* the
time by this method, only shorten it.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]