How to set the timeout of php session?

[uluru75]

Hey,

 

I'm having difficulties to setup the expiration of the php session.

As an example this is what i have right now:

 

file1.php:

session_start();

$_SESSION['user'] = $loginValue;

 

file2.php:

session_start();

i read here the $_SESSION['user']

 

So, how i can make this session to expire after lets say 30 min?

Also if that expiration works i should NOT be able to read the session variable $_SESSION['user'], is that correct?

 

Thanks,

 

 

 

 

 

 

 

[revraz]

The Timeout by default is about 22 mins, and is set in the php.ini file.  What happens is when that time has reached, the next time the GC is ran, then the session will be destroyed.  So it's not 22 mins on the dot.

[uluru75]

I don't have an access to the php.ini and i'm not sure if it's 22 minutes.

When i check the cookie expiration within firefox it's saying that the expiration is at the end of session.

 

Is there a way to set the time without going to php.ini?

thanks

[revraz]

ini_set

 

http://us3.php.net/ini_set

[PFMaBiSmAd]

The purpose of session garbage collection is to delete old un-used session data files. It is not to end or cause sessions to expire. GC also runs randomly based on session.gc_probability and session.gc_divisor so you never know exactly when it will run unless you set it to run on every session_start() statement.

 

If you want something to happen after a specific time, store the starting time and compare the current time on each page visit and take appropriate action when the the time difference has been exceeded.

[uluru75]

This make sense,

So there is really no way to setup an expiration of the session if there is no access to the php.ini? is that right?

[uluru75]

So i guess it's better to use cookies instead of session, right?

[revraz]

Are you talking about inactivity timeout or are you talking about forcing a timeout?  If inactivity, then the ini_set will work fine.

 

If you want to force it, then you can have your script delete the session.  But this will take checking it every minute or so to see if it's expired.

 

What is your goal?  What do you really want to accomplish and what is your concern?

[uluru75]

Right now, just want to have users to be able to login, be logged in on every page and time out the login session after 15 minutes.

what's your suggestions?

thanks

[ionik]

use cookies....

 

setcookie('user', 'userid', time() + (60*15));

 

$user = $_COOKIE['user'];

[uluru75]

are cookies secure? why at this point is better to use cookies?

[ionik]

yes they are secure....and if your talking about you are on a secure server just use this

 

cookie('user', 'data', time()+(60*15), 'path', 'domain', TRUE);

 

and it will only send the cookie over a secure server.....

 

cookies are used everywhere are give a lot more flexibilty than using sessions...

[uluru75]

thanks, a lot

[PFMaBiSmAd]

A cookie can be modified and it can be copied and put back if you delete it. You must only rely on data present on the server to determine if someone is logged in, logged out, or to automatically log them out after a period of time.

 

A cookie or a session id should only be used to identify a visitor. Take that identifying information and use it to match the visitor with his user record in a database. Store information in the user record as to if they are logged in, logged out, or when their last visit was so that you can automatically log them out at the start of their next visit if the time difference is greater than your timeout value.