| Re: sessions timeout [message #176410 is a reply to message #176409] |
Wed, 04 January 2012 10:51   |
The Natural Philosoph
Messages: 993
Registered: September 2010
Karma:
|
Senior Member |
|
|
Arno Welzel wrote:
> Michael Joel, 2012-01-04 02:42:
>
>> I am on a shared server so I have no control over the settings.
>>
>> Is there a way for me to set a "timeout" for sessions?
>
> Maybe using ini_set() to modify session.cookie_lifetime - but i'm not
> sure if this is possible.
>
> Another way would be to manage this "manually" - e.g. using the current
> time and the time of the last activity of the user:
>
Another way would be to not use sessions and use the raw cookie instead,
then you have complete control.
Every time a user with a valid login hits the site, you check his cookie
against one stored in a database for that user, make sure its less than
whatever minutes old, and immediately store the current time and issue a
new utterly random cookie to the user.
Whether HE times them out in his browser or not is irrelevant. You ARE.
If the cookie is out of date at YOUR end, issue the 'you are not logged
in, bugger off or get with the program' message.
Once you HAVE a database of users its a lot easier NOT to use sessions
it seems to me.
What you want to remember about a user is put in the database. ALL he
has to carry around as a cookie hopefully proving he is who he is: a
short term passport.
Basically the code needs to do as a common FIRST THING in EVERY access
get the cookie name/value pair and search your database for a value that
matches it, and is less than X minutes since it was stored in the database.
If a match found, immediately generate a random cookie value, store in
on the database and reset the timestamp on that user to 'now'. I store
their IP address as well, Then use them with the new cookie and set a
global variable somewhere saying 'this user is OK and his ID is this'
and proceed to modify your code to behave differently if he is valid etc.
If not present a login screen (or an invitation to visit one).
The login screen takes name/password, matches them to the database
values, and then sets the same global variable and issues the first
cookie, and puts it in the database, on completion.
I am sure you can get sessions to behave in this way, but it seems to me
its a poor substitute for a database, if you have one.
|
|
|
|
Calendar
Search
Help
Members
Register
Login
Home
]