Jump to content

Recommended Posts

Can anyone confirm and offer a reason as to why my websites sessions are not ending after 30 minutes, or when the browser is closed.

 

The site is

http://www.americangangsters.org/

Username:test

Pass:tester

 

I have even set the ini file (using php ini_set) for session lifetime to 30 mins.

 

Also i set lifetime to 1 second and relogged in and then waited ten minutes (or more) before refreshing and i was still logged in :s

 

Here is some of my security code involving sessions

 

## Session stealing ##	
	ini_set("session.cookie_httponly",true);
	ini_set("session.use_only_cookies",1);
	ini_set("session.use_trans_sid",0);
	ini_set("session.gc_maxlifetime",1800);
	#ini_set("session.save_path") ## Adjust to change the session save path	

 

I have only tested this in firefox (3.0.10)

Any ideas please?

Link to comment
https://forums.phpfreaks.com/topic/157470-site-not-logging-out/
Share on other sites

I have only tested this in firefox (3.0.10)

 

Indeed - with the way firefox preserves tabs, it must also maintain the session. You can get round this by employing your own auto log-out - store a timestamp of the last activity and, on each page load, check to see if the last action happened more than x minutes ago. If it did, redirect to the login page.

Link to comment
https://forums.phpfreaks.com/topic/157470-site-not-logging-out/#findComment-830223
Share on other sites

I have even set the ini file (using php ini_set) for session lifetime to 30 mins.

There is NO session lifetime setting. What setting are you changing? And did you stop and start your web server to get any change made to php.ini to take effect and did you verify the setting using a phpinfo() statement?

 

A session is just a container that holds variables. Don't rely on the underlying operation of the session to perform any function in your application. The session cookie can be modified (it can even be saved and replaced should your script try to delete it) by the visitor (or bot script) to exist as long as they want and by default session garbage collection runs randomly so the session data files can exist long after they are older than the session.gc_maxlifetime setting, especially on a development server or a server with few session_start() statements being executed.

 

If you have previously successfully set a session cookie with a long session.cookie_lifetime, your browser still has that cookie and that cookie will continue to be sent to the server when you visit your page until that cookie expires. You should probably go into your browser (assuming firefox) and check for and clear any existing session cookie matching your domain/localhost.

Link to comment
https://forums.phpfreaks.com/topic/157470-site-not-logging-out/#findComment-830258
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.