DeanWhitehouse Posted May 9, 2009 Share Posted May 9, 2009 Can anyone confirm and offer a reason as to why my websites sessions are not ending after 30 minutes, or when the browser is closed. The site is http://www.americangangsters.org/ Username:test Pass:tester I have even set the ini file (using php ini_set) for session lifetime to 30 mins. Also i set lifetime to 1 second and relogged in and then waited ten minutes (or more) before refreshing and i was still logged in :s Here is some of my security code involving sessions ## Session stealing ## ini_set("session.cookie_httponly",true); ini_set("session.use_only_cookies",1); ini_set("session.use_trans_sid",0); ini_set("session.gc_maxlifetime",1800); #ini_set("session.save_path") ## Adjust to change the session save path I have only tested this in firefox (3.0.10) Any ideas please? Quote Link to comment Share on other sites More sharing options...
jackpf Posted May 9, 2009 Share Posted May 9, 2009 Logs me out fine. Quote Link to comment Share on other sites More sharing options...
DeanWhitehouse Posted May 9, 2009 Author Share Posted May 9, 2009 Hmm ok, seemes its my browser settings, best to confirm these things though Quote Link to comment Share on other sites More sharing options...
GingerRobot Posted May 9, 2009 Share Posted May 9, 2009 I have only tested this in firefox (3.0.10) Indeed - with the way firefox preserves tabs, it must also maintain the session. You can get round this by employing your own auto log-out - store a timestamp of the last activity and, on each page load, check to see if the last action happened more than x minutes ago. If it did, redirect to the login page. Quote Link to comment Share on other sites More sharing options...
jackpf Posted May 9, 2009 Share Posted May 9, 2009 Yeah, I closed all the tabs and restarted firefox properly. You probably just closed it... Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 9, 2009 Share Posted May 9, 2009 I have even set the ini file (using php ini_set) for session lifetime to 30 mins. There is NO session lifetime setting. What setting are you changing? And did you stop and start your web server to get any change made to php.ini to take effect and did you verify the setting using a phpinfo() statement? A session is just a container that holds variables. Don't rely on the underlying operation of the session to perform any function in your application. The session cookie can be modified (it can even be saved and replaced should your script try to delete it) by the visitor (or bot script) to exist as long as they want and by default session garbage collection runs randomly so the session data files can exist long after they are older than the session.gc_maxlifetime setting, especially on a development server or a server with few session_start() statements being executed. If you have previously successfully set a session cookie with a long session.cookie_lifetime, your browser still has that cookie and that cookie will continue to be sent to the server when you visit your page until that cookie expires. You should probably go into your browser (assuming firefox) and check for and clear any existing session cookie matching your domain/localhost. Quote Link to comment Share on other sites More sharing options...
DeanWhitehouse Posted May 9, 2009 Author Share Posted May 9, 2009 This is how long a session lives ini_set("session.gc_maxlifetime",1800); And yeah i was planning on implementing a auto logout script. I verified the ini_set by using ini_get and no i didn't restart as its done on the fly. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.