Adjusting Session Times
in [General]
|
From: Floyd Resler on 14 Sep 2010 10:26 We just got a client whose requirement is that user sessions expire after 30 minutes of inactivity. Our other clients are happy with not having their sessions expire during the work day (i.e. life is 8 hours). I am using a MySQL database to store the session data. My thought is to adjust the session expiration in the table based on the client currently logged in. Is this a good approach or would there be better ways to do it? And just to clarify: all clients use the same Web site. Thanks! Floyd
From: chris h on 14 Sep 2010 10:43 > My thought is to adjust the session expiration in the table based on the > client currently logged in. > > I don't know if there's a better way, but I would probably just do that. The expiration would be set to whatever the client's preference is, and default to 8 hours if he doesn't have one. You may want to set some checks to ensure that the client's preference is within a specific range (e.g. between 30 minutes and 16 hours). Chris.
From: Andrew Ballard on 14 Sep 2010 11:09 On Tue, Sep 14, 2010 at 10:26 AM, Floyd Resler <fresler(a)adex-intl.com> wrote: > We just got a client whose requirement is that user sessions expire after 30 minutes of inactivity. Â Our other clients are happy with not having their sessions expire during the work day (i.e. life is 8 hours). Â I am using a MySQL database to store the session data. Â My thought is to adjust the session expiration in the table based on the client currently logged in. Â Is this a good approach or would there be better ways to do it? Â And just to clarify: all clients use the same Web site. > > Thanks! > Floyd I store the date and time of the last page access and the session lifetime in minutes in the database. Then when I fetch the session from the database, the WHERE clause includes a condition that the number of minutes elapsed between the current date/time and the time stored in the session table is less than the session lifetime (maximum duration of inactivity for that session). That way, each individual user could have his or her own session timeout period if needed. Andrew
From: tedd on 14 Sep 2010 12:58 At 10:26 AM -0400 9/14/10, Floyd Resler wrote: >We just got a client whose requirement is that user sessions expire >after 30 minutes of inactivity. Our other clients are happy with >not having their sessions expire during the work day (i.e. life is 8 >hours). I am using a MySQL database to store the session data. My >thought is to adjust the session expiration in the table based on >the client currently logged in. Is this a good approach or would >there be better ways to do it? And just to clarify: all clients use >the same Web site. > >Thanks! >Floyd Floyd: I don't know how others solve this, but my solution is pretty straightforward (see code below). I require this code for every script that is in the secured area. Simply put, if the user runs a script, then this script is also run. As a result, if the user is not logged in they are directed to the login script. If the user is logged in, but has exceeded the expiration time due to inactivity, then the user is redirected to the same login script with a GET value to trigger the login script to report that they timed out due to inactivity. I find it bad practice to tell a user that they are not logged in when they did log in. It's better to explain why they have to log on again. Now, with respect to your storing the expiration time in the database, that could be done easily enough by this script accessing the database, getting, and setting the time-limit -- OR -- at the start of any logon have the script pull the time-limit from the database and store that value in a SESSION. Either way would work. In any event, this is what I do. Cheers, tedd ========== code <?php $redirect = 'http://yourdomain.com/admin/logon.php'; // standard security $secure = isset($_SESSION['security']) ? $_SESSION['security'] : 0; if ($secure == 0) // if admin is not logged in -- then redirect to the admin logon { header("location:$redirect"); exit(); } // timed security $_SESSION['start'] = isset($_SESSION['start']) ? $_SESSION['start'] : 0; $timelimit = 15 * 60; // 15 minutes $now = time(); if($now > $_SESSION['start'] + $timelimit) { logOff(); $t = '?t=1'; header("location:$redirect$t"); exit(); } $_SESSION['start'] = time(); // properly logged on pass here ?> <?php //============ log off function ============= // to destroy the current session function logOff() { $_SESSION = array(); if(isset($_COOKIE[session_name()])) { setcookie(session_name(), '', time()-86400, '/'); } session_destroy(); } -- ------- http://sperling.com/
From: Floyd Resler on 14 Sep 2010 13:14
Tedd, I really like your solution. The idea of storing the expiration in the SESSION makes it easier for me and makes it more flexible. Someone else had provided a solution that would actually allow me to take it down to a user level if I needed to. I loved the idea for flexibility but would have required a major rewrite. Your idea gives me the flexibility and doesn't require any major rewriting - just a little tweaking. Thanks! Floyd On Sep 14, 2010, at 12:58 PM, tedd wrote: > At 10:26 AM -0400 9/14/10, Floyd Resler wrote: >> We just got a client whose requirement is that user sessions expire after 30 minutes of inactivity. Our other clients are happy with not having their sessions expire during the work day (i.e. life is 8 hours). I am using a MySQL database to store the session data. My thought is to adjust the session expiration in the table based on the client currently logged in. Is this a good approach or would there be better ways to do it? And just to clarify: all clients use the same Web site. >> >> Thanks! >> Floyd > > Floyd: > > I don't know how others solve this, but my solution is pretty straightforward (see code below). > > I require this code for every script that is in the secured area. Simply put, if the user runs a script, then this script is also run. > > As a result, if the user is not logged in they are directed to the login script. If the user is logged in, but has exceeded the expiration time due to inactivity, then the user is redirected to the same login script with a GET value to trigger the login script to report that they timed out due to inactivity. > > I find it bad practice to tell a user that they are not logged in when they did log in. It's better to explain why they have to log on again. > > Now, with respect to your storing the expiration time in the database, that could be done easily enough by this script accessing the database, getting, and setting the time-limit -- OR -- at the start of any logon have the script pull the time-limit from the database and store that value in a SESSION. Either way would work. > > In any event, this is what I do. > > Cheers, > > tedd > > ========== code > > <?php > > $redirect = 'http://yourdomain.com/admin/logon.php'; > > // standard security > > $secure = isset($_SESSION['security']) ? $_SESSION['security'] : 0; > > if ($secure == 0) // if admin is not logged in -- then redirect to the admin logon > { > header("location:$redirect"); > exit(); > } > > // timed security > > $_SESSION['start'] = isset($_SESSION['start']) ? $_SESSION['start'] : 0; > > $timelimit = 15 * 60; // 15 minutes > $now = time(); > > if($now > $_SESSION['start'] + $timelimit) > { > logOff(); > $t = '?t=1'; > header("location:$redirect$t"); > exit(); > } > > $_SESSION['start'] = time(); > > // properly logged on pass here > > ?> > > > <?php //============ log off function ============= > // to destroy the current session > > function logOff() > { > $_SESSION = array(); > > if(isset($_COOKIE[session_name()])) > { > setcookie(session_name(), '', time()-86400, '/'); > } > session_destroy(); > } > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > |