arimakidd Posted March 23, 2009 Share Posted March 23, 2009 I am using sessions to authenticate users from page to page once they have successfully logged in at the login page. Users are funny and will not always "log out". How do I control sessions to time them out after say 120 seconds. At present my solution is to specify the seconds in the session.gc_maxlifetime and to specify garbage collection in the session.gc_probability session.gc_divisor of the php.ini file. I have specified the probability of garbage collection to 100%. I have very few users and security has to be tight. Are there any better solutions? As 100% probability of garbage collection can degrade performance. Quote Link to comment Share on other sites More sharing options...
rhodesa Posted March 23, 2009 Share Posted March 23, 2009 create a table to track the user. in the table, you will want the following columns: unique_id -> an auto_increment primary key user_id -> if of the user session_id -> the PHP session_name() last_active -> the date/time or timestamp of their last action when a user logs in, create a new row in the table. then, as they navigate the site, update the last_active field. this will give you a value to test against. if they go to a page, and last active is more then 20 minutes old (or whatever you specify), you can deny them access and make them login again. then, write a script that cleans old records from the table and run this script periodically (aka nightly) via a scheduled task or cronjob p.s. - if a user can only be logged in from one location, you can integrate this right into your user table Quote Link to comment Share on other sites More sharing options...
arimakidd Posted March 23, 2009 Author Share Posted March 23, 2009 I like the logic in this solution. However, my php app is a 'live search' using ajax. So once users are logged in they basically are going to remain on the same page. If they have conducted a search and 2 mins has passed I want the page to redirect to login if they try to conduct another search. So they don't go to another page. Does your logic still apply? Quote Link to comment Share on other sites More sharing options...
rhodesa Posted March 23, 2009 Share Posted March 23, 2009 yeah, so just make sure you update the table via the file that is accessed via AJAX. then, in the same file, return some sort of error message/status that the calling page can recognize and redirect the user if it receives it. make sense? Quote Link to comment Share on other sites More sharing options...
arimakidd Posted March 23, 2009 Author Share Posted March 23, 2009 Tremendous. Thanks for you time and help. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.