session never timesout

[mo]

I start my global include with session_start() and I havesession.gc_maxlifetime set to 1800 in my php5.ini file. However my session never timesout. I can stay logged in for days even if I close my browser and clear the cache.

 

Only when I use my logout.php page to destroy my session, do I finally get out of the session.

 

What am I missing?

[WolfRage]

Kill your cookies by setting the time in the past on log out. Ensure that the time is being set correctly on the cookies, because it does not sound like the time is being set. Are you using Firefox, if so use the web developer tool to veiw your cookies and look at the expiration time.

[mo]

Kill your cookies by setting the time in the past on log out. Ensure that the time is being set correctly on the cookies, because it does not sound like the time is being set. Are you using Firefox, if so use the web developer tool to veiw your cookies and look at the expiration time.

 

My logout is as follows and after I log out all is fine. However when I log back in, I can stay logged in for days. I am using both IE and Firefox but right now IE.

 

$_SESSION['logged_in'] = 0;

setcookie('login_cookie', "", time() - 60, '/', $home);

session_destroy();

[WolfRage]

When you login, use the firefox plugin for web developers and veiw your cookie information. Check the expiration time. If this a long time in the future or until session ends, then your default setting is not working. So when a user logs in set there cookie manually using.

<?php
setcookie(session_name(), "", time()+1800, '/', $home);
?>

Then when they log out you need to kill the cookie like this.

<?php
setcookie(session_name(), "", time()-60, '/', $home);
?>

My guess is that you really do not know the real name of your session cookie so use the function session_name() . You can also set your session name if you would like to.

[mo]

When you login, use the firefox plugin for web developers and veiw your cookie information. Check the expiration time. If this a long time in the future or until session ends, then your default setting is not working. So when a user logs in set there cookie manually using.

<?php
setcookie(session_name(), "", time()+1800, '/', $home);
?>

Then when they log out you need to kill the cookie like this.

<?php
setcookie(session_name(), "", time()-60, '/', $home);
?>

My guess is that you really do not know the real name of your session cookie so use the function session_name() . You can also set your session name if you would like to.

 

I actually only set the cookine on login if the user check the "remember me" checkbox as follows.

 

        $joined =''.$_POST['username'].'[]'.md5($_POST['password']).'';

        setcookie('login_cookie', $joined, 2147483647, '/', $home);

 

[WolfRage]

Right but a cookie is always being sent that has the session id.... how do you think you are tracking them. Do an experiment, turn off cookies, what happens to your session?

This is why I am insisting that you download the web developer plugin for firefox, then VEIW YOUR COOKIES. You will see a cookie with your session ID in it. That is the one you need to kill, thus the use of session_name() .

[mo]

Right but a cookie is always being sent that has the session id.... how do you think you are tracking them. Do an experiment, turn off cookies, what happens to your session?

This is why I am insisting that you download the web developer plugin for firefox, then VEIW YOUR COOKIES. You will see a cookie with your session ID in it. That is the one you need to kill, thus the use of session_name() .

 

Got it. Thanks. Bit of a noob to sessions, I am just now starting to focus on them.

[WolfRage]

I understand it is a bit much to learn and there will be more questions trust me, it took me a week just to get comfortable with using them securely.