We need to keep a session alive for 30 minutes and then destroy it?

We need to implement our session timeout. The options are(session.gc_maxlifetime and
session.cookie_lifetime)(http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime) are not reliable

.First Option:
session.gc_maxlifetime

  • session.gc_maxlifetime specifies the number of seconds after which data will be seen as ‘garbage’ and cleaned up. Garbage collection occurs during session start.

Second Option:
session.cookie_lifetime

  • session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser.

Best solution:

  • Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:
php code
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage }
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
[ad type=”banner”]
  • Updating the session data with every request also changes the session file’s modification date hence, the previous sessions are not removed from the data.
  • Use an additional time stamp to regenerate the session ID periodically to avoid attacks on sessions like session fixation:
php code
if (!isset($_SESSION['CREATED'])) { $_SESSION['CREATED'] = time(); } 
else if (time() - $_SESSION['CREATED'] > 1800) { // session started more than 30 minutes ago session_regenerate_id(true);
// change session ID for the current session and invalidate old session ID
$_SESSION['CREATED'] = time();
// update creation time }

We can particle sessions after a certain lifespan by using the session.gc_maxlifetime( http://uk3.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime)ini setting:

php code
$_SESSION['example'] = array('foo' => 'bar', 'registered' => time());

// later

if ((time() - $_SESSION['example']['registered']) > (60 * 30))
{
unset($_SESSION['example']);
}

  • Is .htaccess file to set the expire time ? Check with the below code:
php code
<IfModule mod_php5.c>
#Session timeout php_value session.cookie_lifetime 1800 php_value session.gc_maxlifetime 1800
</IfModule

  • Here is the another Sample code:
php code
if (isSet($_SESSION['started']))
{ if((mktime() - $_SESSION['started'] - 60*30) > 0){
Logout, destroy session, etc.
}
}
else
{ $_SESSION['started'] = mktime();
}

  • Use the session_set_cookie_params function .
  • It automatically calls the function before session_start() call.
php code
$lifetime = strtotime('+30 minutes', 0); session_set_cookie_params($lifetime); session_start(); 
[ad type=”banner”]

  • Simply use the below sample code in our include file which loaded in every pages.
php code
$expiry = 1800 ;
//session expiry required after 30 mins
if (isset($_SESSION['LAST']) && (time() - $_SESSION['LAST'] > $expiry))
{
session_unset();
session_destroy();
}
$_SESSION['LAST'] = time();

  • Store a timestamp in the session
php code
<?php
$user = $_POST['user_name‘]
$pass = $_POST['user_pass
require ('db_connection.php');
// Hey, always escape input if necessary!
$result = mysql_query(sprintf("SELECT * FROM accounts WHERE user_Name='%s' AND user_Pass='%s'", mysql_real_escape_string($user), mysql_real_escape_string($pass));
if( mysql_num_rows( $result ) > 0)
{
$array = mysql_fetch_assoc($result);
session_start();
$_SESSION['user_id'] = $user;
$_SESSION['login_time'] = time();
header("Location:loggedin.php");
}
Else
{ header("Location:login.php");
}
?>
  • Now, Check if the timestamp is within the allowed time window (1800 seconds is 30 minutes)
php code
<?php session_start();
if( !isset( $_SESSION['user_id'] ) || time() - $_SESSION['login_time'] > 1800)
{
header("Location:login.php");
}
else
{ // uncomment the next line to refresh the session, so it will expire after thirteen minutes of inactivity, and not thirteen minutes after login //$_SESSION['login_time'] = time();
echo ( "this session is ". $_SESSION['user_id'] );
//show rest of the page and all other content }
?>

Categorized in: