Jump to content

Recommended Posts

can anyone tell me how to modify a timeout for a web app when logged in? Here are the known specs:

=> there is no session hash in the URL when logging in.
=> default timeout for no transacting activity is 5 minutes.

I really have no way to know if the timeout is located in the local cookie or stored in the web app [session] itself. It's a large PHP application that I'm referring to.  and before anyone asks, no it's not a hacking attempt.  This is simply an attempt by me to stop this little annoyance.  I realize that a lot of people do this sort of thing for security reasons.  Also, every transaction on the website (moving from page to page, clicking buttons) results in more than one file with a hash-based name being put in firefox's cache.

Thanks.

Adam

Link to comment
https://forums.phpfreaks.com/topic/311447-timeout-data-located-in-cookie-files/
Share on other sites

$_SESSION data is stored on the server. If you run 'phpinfo()' and look for the variable 'session.save_path' you can see exactly where it is. Cookies, on the other hand, are stored on the client.

Edited by gw1500se

You can see the expiration time of the cookie. Five minutes is really short, though, so I doubt the timeout is coming from an expired cookie.

Which means it's server-side and there's nothing you can do about it.

thanks guys.

12 hours ago, requinix said:

You can see the expiration time of the cookie. Five minutes is really short, though, so I doubt the timeout is coming from an expired cookie.

Which means it's server-side and there's nothing you can do about it.

req,

can you give me any insight into the %age of what web apps being used by companies set timeouts inside of cookie files that sit on a client vs. those that use sessions or any type of "pointer code" in a client cookie file to read server data and detect the timeout expiration?  which method is more common and why?  or is this just one of those pointless arguing topics that software developers go back and forth with forever only to end up in a draw?  😃

1 hour ago, ajetrumpet said:

can you give me any insight into the %age of what web apps being used by companies set timeouts inside of cookie files that sit on a client vs. those that use sessions or any type of "pointer code" in a client cookie file to read server data and detect the timeout expiration?

:psychic:

 

1 hour ago, ajetrumpet said:

which method is more common and why?  or is this just one of those pointless arguing topics that software developers go back and forth with forever only to end up in a draw?  😃

Forget "common" and think about "purpose".

A session cookie lasts potentially forever, but it disappears when the browser closes. Is "forever" a problem? User authentication should not last forever.
A regular cookie lasts until some particular time, assuming it does not get refreshed. But once that time passes, the data contained by the cookie is lost. Is losing that data a problem? User tracking data should not disappear or else you'll mistakenly count too many users.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.