Jump to content

Automatic logout after 60 Minutes of inactivity

danielspencer2

By danielspencer2
in PHP Coding Help

 Share

Recommended Posts

danielspencer2 Newbie

danielspencer2

Posted
Posted

How would i use php and the session cookies feature it provides to make a user automatically logout after 60 Minutes of inactivity?

 

I was thinking when people first login the start time will be stored as 0, and whenever they click somewhere it will be set to zero again, but if they click again and their last click was more than 60 minutes ago, the cookie will be deleted, session unset, logged out, etc.

 

How would i do this in php using the session cookie feature?

Link to comment
Share on other sites
danielspencer2 Newbie

danielspencer2

Posted
  • Author
Posted

i found session.cookie_lifetime and it says:

 

"session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed."

 

How does the server know that the browser is closed? Because when you close your web browser it doesn't sendout any info to the server.

 

 

 

See the session.cookie_lifetime directive.

Link to comment
Share on other sites
Mark Baker Member

Mark Baker

Posted
Posted

"session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. The value 0 means "until the browser is closed."

 

How does the server know that the browser is closed? Because when you close your web browser it doesn't sendout any info to the server.

The server doesn't know that the browser has been closed.

The cookie is held on the client browser, and it's the browser that decides whether or not the cookie should be retained when it closes down (and if so, for how long), based on the session.cookie_lifetime value (or appropriate parameter) that is passed to it by the server when the cookie is created.

 

The only way that the server can know that the browser has closed down is if an onunload event in the browser sends a request to the server indicating that it has closed down.... not a particularly efficient method, as the onunload event can also be triggered by the browser being sent to a different site (because the user has entered a new url in the address bar) or by a browser refresh.

 

Link to comment
Share on other sites
JonnoTheDev Regular Member

JonnoTheDev

Posted
Posted
How does the server know that the browser is closed

It doesn't however the key fact is that the session is lost when the browser is closed. Imagine a piece of string with one person holding one end and another holding the opposite end. That is effectively the session between the browser an server. When the browser is closed imagine a big pair of scissors cutting the string in the middle. The only way to restore the connection is with a new piece of string i.e. a brand new session.

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted

You could build a simple script to demonstrate this.

 

<?php
session_start();
if (isset($_GET['action']) && $_GET['action'] == 'login') {
  $_SESSION['in'] = true;
}
if (!isset($_SESSION['in'])) {
  echo '<a href="?action=login">Click here to login</a>';
} else {
  echo "You are logged in";
}
?>

 

the first time you open this page it will ask you to login, clicking the link will do so, once logged in page refreshes will simply display 'You are logged in', close you browser and visit the page again you should be logged out.

Link to comment
Share on other sites
danielspencer2 Newbie

danielspencer2

Posted
  • Author
Posted

but does the code you provided me with use Cookies or just sessions? If it uses a cookie, what information is found in the cookie and where is the session.cookie_lifetime value?

 

 

You could build a simple script to demonstrate this.

 

<?php
session_start();
if (isset($_GET['action']) && $_GET['action'] == 'login') {
  $_SESSION['in'] = true;
}
if (!isset($_SESSION['in'])) {
  echo '<a href="?action=login">Click here to login</a>';
} else {
  echo "You are logged in";
}
?>

 

the first time you open this page it will ask you to login, clicking the link will do so, once logged in page refreshes will simply display 'You are logged in', close you browser and visit the page again you should be logged out.

Link to comment
Share on other sites
Mark Baker Member

Mark Baker

Posted
Posted

but does the code you provided me with use Cookies or just sessions? If it uses a cookie, what information is found in the cookie and where is the session.cookie_lifetime value?

Probably both, depending on your PHP configuration.

Typically, a cookie is stored in the client browser. That cookie name is (by default PHPSESSID), and its value is the session ID allocated by PHP. If you have a cookie editor for your browser (an extremely useful testing tool), you can actually see this. The browser also holds a record of the domain which issued the cookie, and its lifetime... all pieces of information set by PHP when it sends the response headers instructing the browser to create the cookie.

Subsequently, whenever the browser sends a request to the server matching its domain and within the cookie lifetime, the cookie name/value itself is also sent to the server. If the browser sends a request to a server in a non-matching domain, or the cookie lifetime has expired, the cookie name/value is not sent with the request.

As an alternative, it is possible to configure PHP so that it doesn't use a cookie, but sends the session id key/value pair as part of the request as a $_GET or $_POST parameter... you might then see the session iD value in the address bar.

 

The value of the session cookie matches a session file held on the server (typically in the /tmp directory, with a prefix of "sess_"), and it is in this file that all the session data is held. That data is not available to the browser, only to the PHP script.

Link to comment
Share on other sites
danielspencer2 Newbie

danielspencer2

Posted
  • Author
Posted

So would u be able to post here a simple php login script that uses sessions instead of cookies?

 

And can you make sessions expire? Because i read that if a person sends their session id url to another person then the other person will be able to login with just the url.

 

but does the code you provided me with use Cookies or just sessions? If it uses a cookie, what information is found in the cookie and where is the session.cookie_lifetime value?

Probably both, depending on your PHP configuration.

Typically, a cookie is stored in the client browser. That cookie name is (by default PHPSESSID), and its value is the session ID allocated by PHP. If you have a cookie editor for your browser (an extremely useful testing tool), you can actually see this. The browser also holds a record of the domain which issued the cookie, and its lifetime... all pieces of information set by PHP when it sends the response headers instructing the browser to create the cookie.

Subsequently, whenever the browser sends a request to the server matching its domain and within the cookie lifetime, the cookie name/value itself is also sent to the server. If the browser sends a request to a server in a non-matching domain, or the cookie lifetime has expired, the cookie name/value is not sent with the request.

As an alternative, it is possible to configure PHP so that it doesn't use a cookie, but sends the session id key/value pair as part of the request as a $_GET or $_POST parameter... you might then see the session iD value in the address bar.

 

The value of the session cookie matches a session file held on the server (typically in the /tmp directory, with a prefix of "sess_"), and it is in this file that all the session data is held. That data is not available to the browser, only to the PHP script.

Link to comment
Share on other sites
Mark Baker Member

Mark Baker

Posted
Posted

So would u be able to post here a simple php login script that uses sessions instead of cookies?

No, because it always uses both (unless the session id is passed for every request in the URL itself). The cookie is a pointer to the session. Without the cookie, the server has no idea there even is a session, let alone whose session file is whose.

Use the cookies, safer and less for you to have to control from within your own code.

 

thorpe's simple login script does exactly what you should be doing

 

 

And can you make sessions expire?

Sessions will expire after a period of inactivity, defined by the session.gc_maxlifetime value within the php.ini file.

 

 

Because i read that if a person sends their session id url to another person then the other person will be able to login with just the url.

I've read that if a person sends their user id and password to another person, then that second person can log in as them. If a user gives away their personal information like that, then there's very little that security checks can do.

Hackers can also try to intercept http packets travelling between browser and web server to read cookie data for the session ID.

Session timeout with the session.gc_maxlifetime reduces the timeframe where the user has closed their browser, and the cookie value still has any value to a hacker.

 

If you want to make things even more secure, use ssl.

 

Link to comment
Share on other sites
Bjom Newbie

Bjom

Posted
Posted

the "automatic" logout can only mean: when after 60 minutes of inactivity the user does anything he will get logged out or redirected to the login page.

 

I have written an authentication class that provides that kind of functionality. You can check it out here and use it if you like, play around with it - or simply read it. there is an example in the download that you can play around with...

Link to comment
Share on other sites
danielspencer2 Newbie

danielspencer2

Posted
  • Author
Posted

i'm interested in finding out about passing the session id in the url for every request. i have searched google but i can't find any example login scripts that use this method, do you know any that do?

 

So would u be able to post here a simple php login script that uses sessions instead of cookies?

No, because it always uses both (unless the session id is passed for every request in the URL itself). The cookie is a pointer to the session. Without the cookie, the server has no idea there even is a session, let alone whose session file is whose.

Use the cookies, safer and less for you to have to control from within your own code.

 

thorpe's simple login script does exactly what you should be doing

 

 

And can you make sessions expire?

Sessions will expire after a period of inactivity, defined by the session.gc_maxlifetime value within the php.ini file.

 

 

Because i read that if a person sends their session id url to another person then the other person will be able to login with just the url.

I've read that if a person sends their user id and password to another person, then that second person can log in as them. If a user gives away their personal information like that, then there's very little that security checks can do.

Hackers can also try to intercept http packets travelling between browser and web server to read cookie data for the session ID.

Session timeout with the session.gc_maxlifetime reduces the timeframe where the user has closed their browser, and the cookie value still has any value to a hacker.

 

If you want to make things even more secure, use ssl.

Link to comment
Share on other sites
trq Prolific Member

trq

Posted
Posted
I'm interested in finding out about passing the session id in the url for every request. i have searched google but i can't find any example login scripts that use this method, do you know any that do?

 

No. Its far less secure.

Link to comment
Share on other sites
Bjom Newbie

Bjom

Posted
Posted

Read the php manual on sessions. It's explained pretty well imho.

 

But as thorpe points out: it is far less secure and it is mainly useful as a workaround in cases where you

a) switch servers within a session, like when moving over to a proxy (ssl over a proxy  is an example), but then you should reconsider your strategy and reconfigure ASAP anyway

b) it is absolutely impossible to work with cookies

 

So while it is good to know that the possibility exists, it is not advisable to use it as a standard method.

 

Try and google for "session fixation" and you'll find good info about the security issues at hand.

 

Bjom

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.