uluru75 Posted July 28, 2008 Share Posted July 28, 2008 Hey, I'm having difficulties to setup the expiration of the php session. As an example this is what i have right now: file1.php: session_start(); $_SESSION['user'] = $loginValue; file2.php: session_start(); i read here the $_SESSION['user'] So, how i can make this session to expire after lets say 30 min? Also if that expiration works i should NOT be able to read the session variable $_SESSION['user'], is that correct? Thanks, Quote Link to comment Share on other sites More sharing options...
revraz Posted July 28, 2008 Share Posted July 28, 2008 The Timeout by default is about 22 mins, and is set in the php.ini file. What happens is when that time has reached, the next time the GC is ran, then the session will be destroyed. So it's not 22 mins on the dot. Quote Link to comment Share on other sites More sharing options...
uluru75 Posted July 28, 2008 Author Share Posted July 28, 2008 I don't have an access to the php.ini and i'm not sure if it's 22 minutes. When i check the cookie expiration within firefox it's saying that the expiration is at the end of session. Is there a way to set the time without going to php.ini? thanks Quote Link to comment Share on other sites More sharing options...
revraz Posted July 28, 2008 Share Posted July 28, 2008 ini_set http://us3.php.net/ini_set Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2008 Share Posted July 28, 2008 The purpose of session garbage collection is to delete old un-used session data files. It is not to end or cause sessions to expire. GC also runs randomly based on session.gc_probability and session.gc_divisor so you never know exactly when it will run unless you set it to run on every session_start() statement. If you want something to happen after a specific time, store the starting time and compare the current time on each page visit and take appropriate action when the the time difference has been exceeded. Quote Link to comment Share on other sites More sharing options...
uluru75 Posted July 28, 2008 Author Share Posted July 28, 2008 This make sense, So there is really no way to setup an expiration of the session if there is no access to the php.ini? is that right? Quote Link to comment Share on other sites More sharing options...
uluru75 Posted July 28, 2008 Author Share Posted July 28, 2008 So i guess it's better to use cookies instead of session, right? Quote Link to comment Share on other sites More sharing options...
revraz Posted July 28, 2008 Share Posted July 28, 2008 Are you talking about inactivity timeout or are you talking about forcing a timeout? If inactivity, then the ini_set will work fine. If you want to force it, then you can have your script delete the session. But this will take checking it every minute or so to see if it's expired. What is your goal? What do you really want to accomplish and what is your concern? Quote Link to comment Share on other sites More sharing options...
uluru75 Posted July 28, 2008 Author Share Posted July 28, 2008 Right now, just want to have users to be able to login, be logged in on every page and time out the login session after 15 minutes. what's your suggestions? thanks Quote Link to comment Share on other sites More sharing options...
ionik Posted July 28, 2008 Share Posted July 28, 2008 use cookies.... setcookie('user', 'userid', time() + (60*15)); $user = $_COOKIE['user']; Quote Link to comment Share on other sites More sharing options...
uluru75 Posted July 28, 2008 Author Share Posted July 28, 2008 are cookies secure? why at this point is better to use cookies? Quote Link to comment Share on other sites More sharing options...
ionik Posted July 28, 2008 Share Posted July 28, 2008 yes they are secure....and if your talking about you are on a secure server just use this cookie('user', 'data', time()+(60*15), 'path', 'domain', TRUE); and it will only send the cookie over a secure server..... cookies are used everywhere are give a lot more flexibilty than using sessions... Quote Link to comment Share on other sites More sharing options...
uluru75 Posted July 28, 2008 Author Share Posted July 28, 2008 thanks, a lot Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted July 28, 2008 Share Posted July 28, 2008 A cookie can be modified and it can be copied and put back if you delete it. You must only rely on data present on the server to determine if someone is logged in, logged out, or to automatically log them out after a period of time. A cookie or a session id should only be used to identify a visitor. Take that identifying information and use it to match the visitor with his user record in a database. Store information in the user record as to if they are logged in, logged out, or when their last visit was so that you can automatically log them out at the start of their next visit if the time difference is greater than your timeout value. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.