Link to home
Start Free TrialLog in
Avatar of J N
J N

asked on

sessions timeout and destroy in php.ini

Hi,

i have created a website with a portal. i have redirected the using the portal location to use https however the length of time the session can stay open is infinite. therefore if two different people use the same computer without login out they would be able to see the other persons documents. i am curious if i include a session timeout function that allows twenty mins of inactivity and then boots the person off the session. the individual would then be forced to login again.

would it be a good idea to install a php funnction that once the session has timed out it returns the user to the login page? if so where would i include this script? would i add it to the index.php or place it in my php.ini file

i am curious if it would be a good idea to destroy sessions when logging out as well. what are the pros and cons of destroying the session? my goal for the portal is to make it as secure as reasonably possible.

thanks alot!!
Avatar of gr8gonzo
gr8gonzo
Flag of United States of America image

Your solution is probably not just PHP. PHP is only server-side, so unless you have a meta refresh tag or some Javascript code that logs the user out, the browser is going to stay on the same page as long as the user doesn't click a link or change the page (even if the PHP session dies).

To handle the PHP session, you can have a bit of code that checks the time of the user's session at the beginning of each page load, and check to see if the use hasn't refreshed the page or performed any activity within a certain time limit. For example:

session_start();

$inactivity = 1200; // 20 minutes

if(isset($_SESSION"logged_in"])) // Assuming you have a "logged_in" that is set after someone logs in...
{
   // Check for the time between now and the last page load:
   if(isset($_SESSION["lastPageLoad"]))
   {
      $timeSinceLastPageLoad = time() - $_SESSION["lastPageLoad"];
      if($timeSinceLastPageLoad > $inactivity)
      {
         // Session expired - log them out
         unset($_SESSION["logged_in"]); // or session_destroy() to be thorough
         header("Location: logged_out.php");
         die();
      }
   }

   // Update the last page load timestamp
   $_SESSION["lastPageLoad"] = time();
}
To answer your question about pros/cons of destroying a session, I'd just say it's better to destroy it when logging out. There's no sense trying to retain a part of a session that has been logged out.

The only reason you wouldn't want to destroy the session fully is if the user has been working on a document for 25 minutes without refreshing the page (although an AJAX call can help in "refreshing" the value of "lastPageLoad"), and then they try to save the document, but then it times out and they lose their work. You could potentially use sessions to help save their work, and then restore the document after they log back in, but that gets pretty complicated. Usually it's better to just destroy the session. :)
Note that you have to use session_start() at the top of the page so PHP will know Which session to destroy.  The correct way to 'destroy' a session is shown here: http://us3.php.net/manual/en/function.session-destroy.php
Avatar of J N
J N

ASKER

Hi,

thanks a whole bunch for getting back to me so fast !!!

would i want to include this script on each page that is used during the session or would i include it on the index.php (login page) which i believe intializes the session with a session_start() command.
You need to use it on every page that the user will be accessing during their logged in session. I always destroy the current session on logout. Sessions contain lots of data sometimes including anything in the $_POST $_GET and $_REQUEST arrays so you wouldn't want to leave that data lying around for the next user to read.

This simple code will capture everything posted to a script in session variablkes so it can be accessed on any other php page that has session_start() at the top of that script.

<?php
session_start();
foreach($_REQUEST as $key => $val) {
      $_SESSION[$key] = $val;
}

var_dump($_SESSION);

?>

So if you create a form and post it to a script with the above code in it, the session will hold all of the posted data no matter how the form posts it. (get or post)
Avatar of J N

ASKER

should i attach the following code to every page then?

<?php
session_start();

$inactivity = 1200; // 20 minutes

if(isset($_SESSION"logged_in"])) // Assuming you have a "logged_in" that is set after someone logs in...
{
   // Check for the time between now and the last page load:
   if(isset($_SESSION["lastPageLoad"]))
   {
      $timeSinceLastPageLoad = time() - $_SESSION["lastPageLoad"];
      if($timeSinceLastPageLoad > $inactivity)
      {
         // Session expired - log them out
         unset($_SESSION["logged_in"]); // or session_destroy() to be thorough
         header("Location: logged_out.php");
         die();
      }
   }

   // Update the last page load timestamp
   $_SESSION["lastPageLoad"] = time();
foreach($_REQUEST as $key => $val) {
      $_SESSION[$key] = $val;
}

var_dump($_SESSION);
}
?>
SOLUTION
Avatar of Mark Brady
Mark Brady
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial