[SOLVED] Changing Session variables between pages

[A.White.89]

I am working on a session timeout functionality and I am having it timeout at 600 seconds of inactivity.

 

This function, run at the top of each page, is:

function timeoutCheck($activeTime)
{
	$maxNoActivity = 600; // Seconds of session duration of no activity
	$difference = (time() - $activeTime);

	if($difference > $maxNoActivity)
	{
		session_destroy();
		header("Location: login.php?timeout=1&page=".$_SERVER['PHP_SELF']);
	}
}

 

Then just below this function on each page the $_SESSION['activeTime'] variable is set to time().  So theoretically, $difference should be near  2-3 seconds if I refreshed the page every few seconds.  Unfortunately, $difference always increases until 600 seconds at which time the session times out. 

 

To sum it all up, $_SESSION['activeTime'] is for some reason not changing between pages.  It is never being updated to the new time (or at least the updated $_SESSION['activeTime'] is changing but not passing to other pages in the session).  Note: All pages have session_start() at the top.

 

Suggestions?

Thanks.

[A.White.89]

Is this something that is difficult or maybe I can simplify the question?

[A.White.89]

Does anyone out there have a possible solution?

 

Thanks.

[PFMaBiSmAd]

Cannot really help you without seeing all your actual code.

[A.White.89]

Okay.  Here is the code from above (the timeoutCheck function):

 

from loginFunction.php:

<?php
function timeoutCheck($activeTime)
{
	$maxNoActivity = 600; // Seconds of session duration of no activity
	$difference = (time() - $activeTime);
	//print $difference;

	if($difference > $maxNoActivity)
	{
		session_destroy();
		header("Location: login.php?timeout=1&page=".$_SERVER['PHP_SELF']);
	}
}
?>

 

and here is the code that rests at the top of all my pages:

 

<?php
session_start();
require "loginFunctions.php";
secure($_SESSION);
timeoutCheck($_SESSION['activeTime']);
$_SESSION['activeTime']= time();
?>

 

If I print out on any page AFTER the timeoutCheck:

<?php
print (time() - $_SESSION['activeTime']);
?>

I get 0 - which is good.  This suggests that $_SESSION['activeTime'] is changed within the page but it is not being transferred to other pages because in timeoutCheck, the variable is no different than it is when it is instantiated - which is here (in login.php):

<?php
$error = loginCheck($_POST, $_GET);
	if(trim($error) == "")
	{
		$_SESSION['userID'] = login($_POST);
		$_SESSION['activeTime'] = time(); // LOOK HERE
// The rest is not important
?>

 

Hopefully this helps.  Thanks.

[PFMaBiSmAd]

The code works for me. Add the following two lines immediately after the first opening <?php tag on the relevant pages -

 

ini_set ("display_errors", "1");
error_reporting(E_ALL);

[A.White.89]

Okay.  If I make the question simple: Have you ever heard of session variables not storing between pages and/or functions?

 

I do thank you for your answer though.  It is useful.

[PFMaBiSmAd]

Have you ever heard of session variables not storing between pages and/or functions?

Yes, when the code is overwriting the variables or doing something else that is preventing the session from being started or register_globals are overwriting post/get/cookie/session/program variables or the sessions are not working due to session settings on the server and the hostname or paths changing in the URL's or the browser has been configured to not accept cookies.

 

You are looking for a one symptom one problem relationship and programming does not work that way. For any symptom there can be a dozen different causes and any problem can cause several different symptoms.

 

What does secure($_SESSION); do, because it could be terminating your session so that $_SESSION['activeTime'] is just an ordinary array variable in the current script.

[A.White.89]

<?php
function secure($_SESSION)
{
	if(!($_SESSION['userID']) || ($_SESSION['userID'] == ""))
	{
		header("Location: login.php?page=".$_SERVER['PHP_SELF']);
		exit();
	}
}

function timeoutCheck($activeTime)
{
	$maxNoActivity = 600; // Seconds of session duration of no activity
	$difference = time() - $activeTime;
	print $difference;

	if($difference > $maxNoActivity)
	{
		session_destroy();
		header("Location: login.php?timeout=1&page=".$_SERVER['PHP_SELF']);
	}
}
?>

 

secure() doesn't touch $_SESSION['activeTime'] and works well to make sure a user is logged in before being able to access the page (suggesting that the $_SESSION['userID'] is being transferred fine).

[laffin]

wudnt it just be easier to use

session_set_cookie_params(600);
session_start();

 

Unless you are specifically doing something with ActiveTime?

 

also avoid using frames and sessions....

 

[PFMaBiSmAd]

Well, it turns out the problem is because you are calling the secure() function with the $_SESSION array as a parameter.

 

$_SESSION is a superglobal and does not need to be passed into a function.

 

I can only guess that when the $_SESSION array is referenced as a parameter in the function call that it is somehow breaking the connection between the $_SESSION array and the actual session.

 

Remove $_SESSION from both the secure function definition and the function call.

 

 

[PFMaBiSmAd]

Setting the session cookie lifetime through the session_set_cookie_params() function would have no effect on detecting a period of inactivity.

[A.White.89]

I am trying to make it logout after 10 minutes of INACTIVITY, not just 10 minutes period.  That's why I change the session variable on each page AFTER I check the value of the session variable to make sure the current time is not 600 seconds more than the last loaded page.  For some reason, that difference is always increasing, suggesting that the variable is NOT storing between pages.

[laffin]

Thats wut the session lifetime is for. to log a user out after x seconds by killing the session.

 

Unless you are specifically using the time the user has been on the site, there is no need to manually log them out when you can set the lifetime of the session cookie, which will get updated when they navigate to another page or refreshing thus resetting cookie.

[PFMaBiSmAd]

Setting the session cookie lifetime through the session_set_cookie_params() function would have no effect on detecting a period of inactivity.

[A.White.89]

Are you suggesting to add that to the top of EACH page?  So that it would only last 10 minutes from the load time of that page?

[PFMaBiSmAd]

No it won't -

Setting the session cookie lifetime through the session_set_cookie_params() function would have no effect on detecting a period of inactivity.

 

The session cookie lifetime determines how long the session cookie lives when the browser is completely closed.

[PFMaBiSmAd]

If your forum profile is not setup to alert you of posts made while you were replying, you should really turn that setting on, because you apparently missed the reason why your code is not working -

 

Well, it turns out the problem is because you are calling the secure() function with the $_SESSION array as a parameter.

 

$_SESSION is a superglobal and does not need to be passed into a function.

 

I can only guess that when the $_SESSION array is referenced as a parameter in the function call that it is somehow breaking the connection between the $_SESSION array and the actual session.

 

Remove $_SESSION from both the secure function definition and the function call.

[A.White.89]

Oh geeze, thanks for both the solution and the tip about the messages.

 

 

I really appreciate your perserverence through this discussion.

[laffin]

The only way to detect inactivity is really through java(script). I base my opinions on the code presented. Which just destroys a session if a specific amount of time has elapsed.

Which is exactly wut the lifetime of a cookie does. A Cookie Lifespan can only last as long as the expiry dictates.

 

session_set_cookie_params

U can use this to set the lifespan of the cookie, or you can edit your php.ini in order to shorten the lifespan of the sessions.