Setting a 5 minute session expire time

[ryanmm]

trying to understand how i would go about setting a 5 minute session lifetime

I gather you can set the max time between garabge collection by using:
ini_set('session.gc_maxlifetime', 300);

But, I understand on a shared hosting environment, changing just the session.gc_maxlifetime may not be effective because if there are other websites with a lower value (or using the default value) they will end up clearing the session data.

So what you can do is set up you own save path using
session_save_path($path);

Now, on x10 pemium, would I have to set up a custom path for EVERY user that logs in to my site?

And what page would I put this code on
ini_set('session.gc_maxlifetime', 300);
session_save_path($path);
session_start();

would I have to put it one every page, or will just putting it on the first page the user is likely to come across work, like login.php for example?

I've also read that you can set this up in your .htaccess file:

php_value session.gc_maxlifetime 300
php_value session.save_path "/PATH/TO/SESSIONS"

Is this the preferred way to do thinngs?

[Livewire]

Can make it easier if you do session_set_cookie_params: http://www.php.net/manual/en/functio...kie-params.php

void session_set_cookie_params ( int $lifetime [, string $path [, string $domain [, bool $secure = false [, bool $httponly = false ]]]] )

Set cookie parameters defined in the php.ini file. The effect of this function only lasts for the duration of the script. Thus, you need to call session_set_cookie_params() for every request and before session_start() is called.

Upshot is the very first parameter is how many seconds said cookie should last before expiring, which is pretty much exactly what you wanted

A note here is when it says "defined in the php.ini file," I believe it means "without actually modifying php.ini, change how this particular session cookie will be handled." Shouldn't mess with other session-using apps on your site, or with the ini file

[ryanmm]

Thank you livewire. I thought that cookies only adjust how things ran on the client's computer, and not the server?

Here's what I'm really trying to do:

There is no fail proof way of telling when the user naviagtes away from my page, or closes the tab in their browser they are using to view it. The only way they can actually be logged out and close the session is if they click logout first, which they may not do, in fact hardly anyone will do this

I thought a good solution to this would be to have short session lifetimes, and then have some javascript on the page which keeps renewing the session. Then, if the user navigates away or closes the tab, the JS to renew the session won't run and the session will expire. When the user returns to my site, they will find they have been logged out and their session has been destroyed.

So really, this is something that has to take place in the server with session lifetimes and garbage collection, and not on the clients pc with cookies, right?

[Livewire]

From what I can tell, the cookie tells the server what your session ID is. Without the cookie (because it expired), the server can't find your session and treats you as logged out.

That's about it in a nutshell, cause if there's no session ID for the client to give the server, the server just says "start over then" and makes you log back in.

[Livewire]

Scratch everything I just said and check hre instead: http://stackoverflow.com/questions/5...ter-30-minutes

Someone did a way over-the-top explanation of why I'm wrong :P

[ryanmm]

Livewire pointed out problems with using session.gc_maxlifetime and the cookies approach.

That was good but it still presented the problem of actually blocking out the real user.

So I devised a plan to use javascript to run some php that, instead of looking to see if it should log the user off, looked to see it it could keep the user logged on. Therefore, as long as the real user left the tab open, the javascript would keep updating a time stamp held in a session var, but if they navigate away, or close the browser tab, the javascript wouldn't run, and the timestamp wouldnt be refreshed. Then the next action anyone took on my site would run through some php that comes before any html or headers would log them out.

Of course, this leaves the obvious problem of public libraries and such where someone could come along and use the users account if they forget to close the tab or browser. Ironically this is the problem most features like a short session lifetime look to circumvent in the first place. But im ok with that. The user should have some responsibility with their own account. I mean to access it publicly and then just leave it open and walk away, when they have something invested in the account? I'm not worried about that. What i'm worried about is hackings eavesdropping in on my sessions, and/or being able to use fixation, etc...

WEBPAGE:

Code:

<?PHP
   session_start();

   if(!isset($_SESSION['freshTime']) || time() - $_SESSION['freshTime'] > 400)
   {
       header("location: Logout.php");
       exit();	
   }
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<script type="text/javascript">
function refreshNow() 
{
	document.getElementById('security-code').innerHTML = "<iframe src='refreshTime.php'></iframe>";
}

function MyOnLoad()
{
	refreshNow();
	setInterval("refreshNow()", 300000);
}
</script>
</head>

<body onload="MyOnLoad();">

<div style="display:none" id="security-code">&nbsp;</div>
<div> content...  content...  content...  content... </div>

</body>

</html>

refreshTime.php

Code:

<?PHP

session_start();
$_SESSION['freshTime'] = time();
             
?>

I'd be grateful for any critiquing or improvement upon this code.

Thanks all.