danielspencer2 Posted August 11, 2009 Share Posted August 11, 2009 How would i use php and the session cookies feature it provides to make a user automatically logout after 60 Minutes of inactivity? I was thinking when people first login the start time will be stored as 0, and whenever they click somewhere it will be set to zero again, but if they click again and their last click was more than 60 minutes ago, the cookie will be deleted, session unset, logged out, etc. How would i do this in php using the session cookie feature? Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/ Share on other sites More sharing options...
trq Posted August 11, 2009 Share Posted August 11, 2009 See the session.cookie_lifetime directive. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-895400 Share on other sites More sharing options...
danielspencer2 Posted August 11, 2009 Author Share Posted August 11, 2009 i found session.cookie_lifetime and it says: "session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." How does the server know that the browser is closed? Because when you close your web browser it doesn't sendout any info to the server. See the session.cookie_lifetime directive. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-895480 Share on other sites More sharing options...
Mark Baker Posted August 11, 2009 Share Posted August 11, 2009 "session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed." How does the server know that the browser is closed? Because when you close your web browser it doesn't sendout any info to the server. The server doesn't know that the browser has been closed. The cookie is held on the client browser, and it's the browser that decides whether or not the cookie should be retained when it closes down (and if so, for how long), based on the session.cookie_lifetime value (or appropriate parameter) that is passed to it by the server when the cookie is created. The only way that the server can know that the browser has closed down is if an onunload event in the browser sends a request to the server indicating that it has closed down.... not a particularly efficient method, as the onunload event can also be triggered by the browser being sent to a different site (because the user has entered a new url in the address bar) or by a browser refresh. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-895484 Share on other sites More sharing options...
JonnoTheDev Posted August 11, 2009 Share Posted August 11, 2009 How does the server know that the browser is closed It doesn't however the key fact is that the session is lost when the browser is closed. Imagine a piece of string with one person holding one end and another holding the opposite end. That is effectively the session between the browser an server. When the browser is closed imagine a big pair of scissors cutting the string in the middle. The only way to restore the connection is with a new piece of string i.e. a brand new session. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-895485 Share on other sites More sharing options...
danielspencer2 Posted August 12, 2009 Author Share Posted August 12, 2009 thanks guys. that really helped. does anyone know of a free website that makes their cookies expire when the browser is closed, so i can test this by signing up and logging in, then reloading my browser and see if i am indeed logged out? Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-896150 Share on other sites More sharing options...
trq Posted August 12, 2009 Share Posted August 12, 2009 You could build a simple script to demonstrate this. <?php session_start(); if (isset($_GET['action']) && $_GET['action'] == 'login') { $_SESSION['in'] = true; } if (!isset($_SESSION['in'])) { echo '<a href="?action=login">Click here to login</a>'; } else { echo "You are logged in"; } ?> the first time you open this page it will ask you to login, clicking the link will do so, once logged in page refreshes will simply display 'You are logged in', close you browser and visit the page again you should be logged out. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-896211 Share on other sites More sharing options...
JonnoTheDev Posted August 12, 2009 Share Posted August 12, 2009 does anyone know of a free website that makes their cookies expire when the browser is closed As cookies are stored on a users computer they will not expire until the date they are told to expire. To end when a user closes their browser you use sessions. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-896254 Share on other sites More sharing options...
danielspencer2 Posted August 14, 2009 Author Share Posted August 14, 2009 but does the code you provided me with use Cookies or just sessions? If it uses a cookie, what information is found in the cookie and where is the session.cookie_lifetime value? You could build a simple script to demonstrate this. <?php session_start(); if (isset($_GET['action']) && $_GET['action'] == 'login') { $_SESSION['in'] = true; } if (!isset($_SESSION['in'])) { echo '<a href="?action=login">Click here to login</a>'; } else { echo "You are logged in"; } ?> the first time you open this page it will ask you to login, clicking the link will do so, once logged in page refreshes will simply display 'You are logged in', close you browser and visit the page again you should be logged out. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-897773 Share on other sites More sharing options...
Mark Baker Posted August 14, 2009 Share Posted August 14, 2009 but does the code you provided me with use Cookies or just sessions? If it uses a cookie, what information is found in the cookie and where is the session.cookie_lifetime value?Probably both, depending on your PHP configuration. Typically, a cookie is stored in the client browser. That cookie name is (by default PHPSESSID), and its value is the session ID allocated by PHP. If you have a cookie editor for your browser (an extremely useful testing tool), you can actually see this. The browser also holds a record of the domain which issued the cookie, and its lifetime... all pieces of information set by PHP when it sends the response headers instructing the browser to create the cookie. Subsequently, whenever the browser sends a request to the server matching its domain and within the cookie lifetime, the cookie name/value itself is also sent to the server. If the browser sends a request to a server in a non-matching domain, or the cookie lifetime has expired, the cookie name/value is not sent with the request. As an alternative, it is possible to configure PHP so that it doesn't use a cookie, but sends the session id key/value pair as part of the request as a $_GET or $_POST parameter... you might then see the session iD value in the address bar. The value of the session cookie matches a session file held on the server (typically in the /tmp directory, with a prefix of "sess_"), and it is in this file that all the session data is held. That data is not available to the browser, only to the PHP script. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-897933 Share on other sites More sharing options...
danielspencer2 Posted August 14, 2009 Author Share Posted August 14, 2009 So would u be able to post here a simple php login script that uses sessions instead of cookies? And can you make sessions expire? Because i read that if a person sends their session id url to another person then the other person will be able to login with just the url. but does the code you provided me with use Cookies or just sessions? If it uses a cookie, what information is found in the cookie and where is the session.cookie_lifetime value?Probably both, depending on your PHP configuration. Typically, a cookie is stored in the client browser. That cookie name is (by default PHPSESSID), and its value is the session ID allocated by PHP. If you have a cookie editor for your browser (an extremely useful testing tool), you can actually see this. The browser also holds a record of the domain which issued the cookie, and its lifetime... all pieces of information set by PHP when it sends the response headers instructing the browser to create the cookie. Subsequently, whenever the browser sends a request to the server matching its domain and within the cookie lifetime, the cookie name/value itself is also sent to the server. If the browser sends a request to a server in a non-matching domain, or the cookie lifetime has expired, the cookie name/value is not sent with the request. As an alternative, it is possible to configure PHP so that it doesn't use a cookie, but sends the session id key/value pair as part of the request as a $_GET or $_POST parameter... you might then see the session iD value in the address bar. The value of the session cookie matches a session file held on the server (typically in the /tmp directory, with a prefix of "sess_"), and it is in this file that all the session data is held. That data is not available to the browser, only to the PHP script. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-897942 Share on other sites More sharing options...
Mark Baker Posted August 14, 2009 Share Posted August 14, 2009 So would u be able to post here a simple php login script that uses sessions instead of cookies? No, because it always uses both (unless the session id is passed for every request in the URL itself). The cookie is a pointer to the session. Without the cookie, the server has no idea there even is a session, let alone whose session file is whose. Use the cookies, safer and less for you to have to control from within your own code. thorpe's simple login script does exactly what you should be doing And can you make sessions expire?Sessions will expire after a period of inactivity, defined by the session.gc_maxlifetime value within the php.ini file. Because i read that if a person sends their session id url to another person then the other person will be able to login with just the url.I've read that if a person sends their user id and password to another person, then that second person can log in as them. If a user gives away their personal information like that, then there's very little that security checks can do. Hackers can also try to intercept http packets travelling between browser and web server to read cookie data for the session ID. Session timeout with the session.gc_maxlifetime reduces the timeframe where the user has closed their browser, and the cookie value still has any value to a hacker. If you want to make things even more secure, use ssl. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-897964 Share on other sites More sharing options...
Bjom Posted August 14, 2009 Share Posted August 14, 2009 the "automatic" logout can only mean: when after 60 minutes of inactivity the user does anything he will get logged out or redirected to the login page. I have written an authentication class that provides that kind of functionality. You can check it out here and use it if you like, play around with it - or simply read it. there is an example in the download that you can play around with... Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-897971 Share on other sites More sharing options...
danielspencer2 Posted August 15, 2009 Author Share Posted August 15, 2009 i'm interested in finding out about passing the session id in the url for every request. i have searched google but i can't find any example login scripts that use this method, do you know any that do? So would u be able to post here a simple php login script that uses sessions instead of cookies? No, because it always uses both (unless the session id is passed for every request in the URL itself). The cookie is a pointer to the session. Without the cookie, the server has no idea there even is a session, let alone whose session file is whose. Use the cookies, safer and less for you to have to control from within your own code. thorpe's simple login script does exactly what you should be doing And can you make sessions expire?Sessions will expire after a period of inactivity, defined by the session.gc_maxlifetime value within the php.ini file. Because i read that if a person sends their session id url to another person then the other person will be able to login with just the url.I've read that if a person sends their user id and password to another person, then that second person can log in as them. If a user gives away their personal information like that, then there's very little that security checks can do. Hackers can also try to intercept http packets travelling between browser and web server to read cookie data for the session ID. Session timeout with the session.gc_maxlifetime reduces the timeframe where the user has closed their browser, and the cookie value still has any value to a hacker. If you want to make things even more secure, use ssl. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-898658 Share on other sites More sharing options...
trq Posted August 15, 2009 Share Posted August 15, 2009 I'm interested in finding out about passing the session id in the url for every request. i have searched google but i can't find any example login scripts that use this method, do you know any that do? No. Its far less secure. Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-898661 Share on other sites More sharing options...
Bjom Posted August 15, 2009 Share Posted August 15, 2009 Read the php manual on sessions. It's explained pretty well imho. But as thorpe points out: it is far less secure and it is mainly useful as a workaround in cases where you a) switch servers within a session, like when moving over to a proxy (ssl over a proxy is an example), but then you should reconsider your strategy and reconfigure ASAP anyway b) it is absolutely impossible to work with cookies So while it is good to know that the possibility exists, it is not advisable to use it as a standard method. Try and google for "session fixation" and you'll find good info about the security issues at hand. Bjom Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-898765 Share on other sites More sharing options...
danielspencer2 Posted August 18, 2009 Author Share Posted August 18, 2009 ok guys i found out i will use php with session cookies, not persistent cookies: http://www.dustinsdesign.com/php-sessions-vs-cookies/ sessions cookies are stored in the browser's memory and not the user's hard drive. one thing though, is the default https SSL cookie a session cookie or persistent cookie? Quote Link to comment https://forums.phpfreaks.com/topic/169722-automatic-logout-after-60-minutes-of-inactivity/#findComment-900597 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.