What am I doing wrong with this php code for a 'forced session time out' ?

[sunlight678]

Hello there,

Hope that someone will be able to help me with the following:

 

I have a page which is password protected, where clients should only have limited access to, i.e. only for a few weeks.

Problem being that after they'd log in once, due to cache saving, they would still have constant access to the protected page thereafter.

And also due to cache saving, even if taking the page off the server, people would still be able to access that page from their cache

and this for an unlimited time, which is not the intention.  

 

Now I heard that by using php and a 'forced session time out command' it would solve this problem.

As with that, after a certain amount of time, people would be forced to log in again and couldn't view the page from cache.

And if I deleted their access credentials after their allowed access period, they wouldn't be able to access the page at all any longer.

 

But I am new to php, only used it for some forms before.

At that time I didn't put any php script on the page with the actual form, but only a short php script on the page, people would land on after filling-in the form.

Now I need to use php code on the above mentioned password protected directory,
as I like to include a 'forced session time out command' on the page.
For the password protection I use .htaccess.

 

But regarding the php code, I don't get it to work.
This time I only have one single page, that I need people to log in for & so I tried several codes' placements:

Tried to have the php code in the password protected file itself,
-but despite of asking me to log in, it didn't display the page correctly, as it showed bits of the php code on the page.

Tried to create a separate logoutpage.php page with only the php code in it,
-but again, that didn't work either, as same result as above.
I had placed the php code within the body section.

 

The php code I have for the forced session time out is the following:

<?php ;
 session_start();
// set timeout period in seconds
$inactive = 600;
// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
$session_life = time() - $_SESSION['timeout'];
if($session_life > $inactive)
       { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();
?>

My question:

+++++++With not having a form but a password protected file only, where exactly would I place the above (hopefully correct?) php code? And would this solve my problem regarding the 'saved cache' issue?

 

Many thanks for your help.

[Ansego]

Hi.

 

This might be something of use for you;

/* set the cache limiter to 'private' */

session_cache_limiter('private');
$cache_limiter = session_cache_limiter();

/* set the cache expire to 30 minutes */
session_cache_expire(30);
$cache_expire = session_cache_expire();

/* start the session */

session_start();

echo "The cache limiter is now set to $cache_limiter<br />";
echo "The cached session pages expire after $cache_expire minutes";

Reference: http://www.php.net/manual/en/function.session-cache-expire.php

[sunlight678]

Thanks for this.

-- But where exactly do I put that code?

 

I tried it on the password protected file, in-between the 'head' tag, and also tried it in-between the 'body' tag,

but both shows the text   "; echo "The cached session pages expire after $cache_expire minutes"; ?>   on the webpage.

 

-- And does this file have to have a .php ending then? I tried it, but it still displays the script on the page.

 

Please advise, thanks.

[Ansego]

Should be wrapped with <?php // CODE ?>

[sunlight678]

 

Yes, I had it wrapped in that code already. Still displayed the code on the webpage.

Had to cut the code down to



<?php

/* set the cache limiter to 'private' */

session_cache_limiter('private');
$cache_limiter = session_cache_limiter();

/* set the cache expire to 30 minutes */
session_cache_expire(30);
$cache_expire = session_cache_expire();

CODE ?>


Putting it on the page that is password protected, with the code in the head section and named the file a .php file.


However now it doesn't display the code on the page any longer, which is good, but the cache situation is still the same.

Tested it, even after over 40 minutes, one remains on that page and even when I took the protected page off the server one couldn't access that file initially,

but when I had saved the file under a different name and uploaded that one, which would be the procedure in the real scenario,

one is not forced to log in again, but simply has access to that new page again.

 

I am really at my wits' end here, can someone help to solve this?

I mean if there is a php coding for forced session time out and/or session expiry, then the cache shouldn't keep the access to a page like that.

 

???

 

Many thanks for your help.

[Ansego]

Hi,

 

Changing the approach:

// Allows Session to run for min of 2 hours
ini_set('session.gc_maxlifetime', 7200);

// Client will have session id for EXACTLY 2 hour
session_set_cookie_params(7200);

Few things come to mind; Normally the server will Garbage collect after I believe default 20 minutes. If this is NOT working, then in the php.ini possibly these have been edited? So check the following:

• session.gc_probability integer
• session.gc_divisor integer
• session.gc_maxlifetime integer

Reference: http://au1.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

 

General structure for session:

 

At the top of your page before the <html>:

<?php session_start(); ?>

After the <body>:

Setting Session
<?php
session_start();
// store session data
$_SESSION['views']=1;

//retrieve session data
echo "Pageviews=". $_SESSION['views'];

if(isset($_SESSION['views']))
$_SESSION['views']=$_SESSION['views']+1;
else
$_SESSION['views']=1;
echo "Views=". $_SESSION['views'];
?>

To destroying a session ie Logout page:

<?php
session_start();
if(isset($_SESSION['views']))
  unset($_SESSION['views']);
?>

OR

<?php
session_destroy();
?>

Reference: http://www.w3schools.com/Php/php_sessions.asp

 

Hope this helps.

 

Please don't forget to press the solved button if we happen to solve it for you.

Edited March 20, 2014 by Ansego

[sunlight678]

Thanks again.

 

Unfortunately still no changes.

Even when I tested it, whenever I made a change to the page, before testing it again, I deleted the browser history/cache etc.

but didn't even have to log in again, when viewing the passport protected page.

 

Re: the php.ini

I have not changed it, nor have I even seen it on the server anywhere. 

Checked and it's not there.

 

Eitherway I am still getting the same cache situation, as above, plus the webpage shows now the code text:

Pageviews=1Views=2

 

????

Thanks for any further ideas.

[Ansego]

Are you sure you have php installed? lol. If php.ini is no where to be found that does not sound good... lol.

 

It seems you might have a php install problem not running through your http server correctly. These are my current thoughts.

 

Create a file called: phpinfo.php and add the following code to it: 

<?php

phpinfo();

?>

[sunlight678]

Well, though this might sound funny, but no I never physically 'installed any php' -- sorry.

However despite of that my php forms work fine and in the root folder there is a php folder, too, although I didn't put it there...

 

I was under the impression php is a script language like html, which isn't to be installed either, just to be used.

Guess I am wrong ?

 

Created your mentioned file with the code, and uploaded it to the main site.

Made no change to the password protected file - cache issue though.

 

Or where should that new php file go?

[Ansego]

Hi,

 

phpinfo.php file can be placed any where in your web folder and should give you a print out of all the settings from php. If that does not give a print out then your php install is incorrect. Html/css is more decorative / design then you add scripts like php, asp, perl etc. Html runs without a server and can be run locally without the help of http server. If your php code is printing to screen then it would seem php is not installed or your not running the file through the server or format of the code blocks, or extensions etc, so test the phpinfo.php file and if it gets a return like below then your in business and we need to look at other problems. Are you running the web server from your private server?

 

This is what phpinfo looks like when it is run: (Do you get this?)

 

[sunlight678]

Thank you for your reply :-).

I must have had php installed already, but now I installed it again and have version 5.4 running (before it must have been 5.3).

Checked with the webhost (on a shared Linux Server). However they said I won't be having any php.ini file nor any other php file like phpinfo.php.
Which is strange as there is a php folder in my root directory, which they don't seem to acknowledge, and I didn't put it there.
Very odd - but never mind. I still only have the phpinfo.php file online now, the one I uploaded yesterday, with the code in it, like you advised.

Either way, I tried the page again with the php code you mentioned (set to private and cache expiry at 30 mins, but without the echo details)

so that the code wouldn't display on the page.
Today I started testing it already, and I was asked for log in details after 1 hr, also after 30 mins, also after 15 mins, and eventually even after 2 minutes.

But rather strangely, whenever I 'just uploaded' a new file (after I saved the file under a different name and uploaded it and took the old file off the server,
and deleted the username and password, there seems to be some kind of time span (possibly about 2 hours),
during which one is not asked for the log in details at all, as the password protected page simply displays again.
But after that time span, one is asked to log in again, from about 2 mins onwards.

Tomorrow I will test it more, by playing around with all the different php code options, provided in this thread here. 

 

Will update after the testing is complete.
                                                         

[sunlight678]

Here now the promised update, after   a l o t   of testing!

 

Now it works, with the cache not getting stored.

 

But -- as advice for anybody else on this topic:

 

When using the private php setting, as mentioned above, the following is essential:

- the echo details need to be omitted,

- the script ending has to be either 'CODE' ?> or only ?>

As when using CODE ?> a php error is created every single time, and subsequently creating a rather long error log.

 

However something is really odd, the following html code on its own:

 

<meta http-equiv="Cache-Control" content="no-cache, no-store, must-revalidate"/>
<meta http-equiv="Pragma" content="no-cache"/>
<meta http-equiv="Expires" content="0"/>

 

put into a normal .htm page, instead of the php script, works exactly the same.

So possibly the php is not even necessary for non caching??

 

But I am still going to use it, assuming that it hopefully (??) will make the page even more secure (??).