Jump to content

Issues about storing session files in Public_html

Jks

By Jks
in PHP Coding Help

 Share

Recommended Posts

Jks Newbie

Jks

Posted
Posted (edited)

In a PHP membership website hosted in shared hosting, the session used to timeout in 30 minute after closing browser. We solve that problem by creating users.ini file and creating folder 'session' in public_html.

In users.ini file session.cookie_lifetime, session.gc_maxlifetime was extended also session.save_path was set to new directory path. The values of session.cookie_lifetime, session.gc_maxlifetime and session.save_path also set in each PHP program. 

We are facing a new problem about securing folder session that's storing PHP sessions. These are some queries that I have in this regard.

1) Is it possible to have session folder above public_html to avoid direct access? If not then what can be done to secure that folder?

2) Is anything needs to be mentioned in .htaccess to secure users.ini file or session folder? (It currently uses following in .htaccess file: Options -Indexes <Files php.ini> order allow,deny deny from all </Files>)

3) Can anyone directly access session files like sess_xyz123 created in session folder? (We can't browse session files by visiting url www.domain.com/session/sess_xyz123)

4) The session folder gets populated with session files for each user visit to website. How to remove empty session files that are no longer needed when user leaves website?

Looking forward to your reply. Thank you.

Edited by Jks
Strider64 Advanced Member

Strider64

Posted
Posted (edited)

I can answer number one and the answer is yes: 

<?php
require_once __DIR__ . '/../config/starlite_config.php';
require_once "vendor/autoload.php";

and maybe number 4?
  

 public function logoff(): void
    {
        error_log("Starting logout process");

        // Clear database token
        if (isset($_SESSION['user_id'])) {
            $sql = "UPDATE {$this->table} SET token = NULL WHERE id = :id";
            $stmt = $this->pdo->prepare($sql);
            $stmt->execute(['id' => $_SESSION['user_id']]);
        }

        // Clear login cookie
        $isLocal = in_array($_SERVER['REMOTE_ADDR'], ['127.0.0.1', '::1']);
        $cookieDomain = $isLocal ? '' : 'www.phototechguru.com';

        setcookie('login_token', '', [
            'expires' => time() - 3600,
            'path' => '/',
            'domain' => $cookieDomain,
            'secure' => !$isLocal,
            'httponly' => true,
            'samesite' => 'Lax'
        ]);

        // Clear session
        $_SESSION = [];
        if (isset($_COOKIE[session_name()])) {
            setcookie(session_name(), '', time() - 3600, '/');
        }
        session_destroy();

        error_log("Logout complete");
        header('Location: index.php');
        exit();
    }

 

Edited by Strider64

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.