We need to keep a session alive for 30 minutes and then destroy it?

We need to implement our session timeout. The options are(session.gc_maxlifetime and
session.cookie_lifetime)(http://php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime) are not reliable

.First Option:
session.gc_maxlifetime

  • session.gc_maxlifetime specifies the number of seconds after which data will be seen as ‘garbage’ and cleaned up. Garbage collection occurs during session start.

Second Option:
session.cookie_lifetime

  • session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser.

Best solution:

  • Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:
php code 
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
 // last request was more than 30 minutes ago 
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage }
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
[ad type=”banner”]
  • Updating the session data with every request also changes the session file’s modification date hence, the previous sessions are not removed from the data.
  • Use an additional time stamp to regenerate the session ID periodically to avoid attacks on sessions like session fixation:
php code 
if (!isset($_SESSION['CREATED'])) { $_SESSION['CREATED'] = time(); } 
else if (time() - $_SESSION['CREATED'] > 1800) { // session started more than 30 minutes ago session_regenerate_id(true);
 // change session ID for the current session and invalidate old session ID
 $_SESSION['CREATED'] = time(); 
// update creation time }

We can particle sessions after a certain lifespan by using the session.gc_maxlifetime( http://uk3.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime)ini setting:

php code 
$_SESSION['example'] = array('foo' => 'bar', 'registered' => time());

 // later 

if ((time() - $_SESSION['example']['registered']) > (60 * 30))
 { 
unset($_SESSION['example']); 
}

  • Is .htaccess file to set the expire time ? Check with the below code:
php code 
<IfModule mod_php5.c>
 #Session timeout php_value session.cookie_lifetime 1800 php_value session.gc_maxlifetime 1800 
</IfModule

  • Here is the another Sample code:
php code 
if (isSet($_SESSION['started']))
{ if((mktime() - $_SESSION['started'] - 60*30) > 0){ 
Logout, destroy session, etc. 
} 
} 
else 
{ $_SESSION['started'] = mktime(); 
}

  • Use the session_set_cookie_params function .
  • It automatically calls the function before session_start() call.
php code 
$lifetime = strtotime('+30 minutes', 0); session_set_cookie_params($lifetime); session_start();
[ad type=”banner”]

  • Simply use the below sample code in our include file which loaded in every pages.
php code 
$expiry = 1800 ;
//session expiry required after 30 mins 
if (isset($_SESSION['LAST']) && (time() - $_SESSION['LAST'] > $expiry))
 {
 session_unset(); 
session_destroy();
 } 
$_SESSION['LAST'] = time();

  • Store a timestamp in the session
php code 
<?php
 $user = $_POST['user_name‘]
 $pass = $_POST['user_pass
require ('db_connection.php'); 
// Hey, always escape input if necessary!
 $result = mysql_query(sprintf("SELECT * FROM accounts WHERE user_Name='%s' AND user_Pass='%s'", mysql_real_escape_string($user), mysql_real_escape_string($pass)); 
if( mysql_num_rows( $result ) > 0)
 {
 $array = mysql_fetch_assoc($result);
 session_start();
 $_SESSION['user_id'] = $user;
 $_SESSION['login_time'] = time(); 
header("Location:loggedin.php");
 } 
Else
 { header("Location:login.php"); 
} 
?>
  • Now, Check if the timestamp is within the allowed time window (1800 seconds is 30 minutes)
php code 
<?php session_start();
 if( !isset( $_SESSION['user_id'] ) || time() - $_SESSION['login_time'] > 1800) 
{
 header("Location:login.php"); 
} 
else 
{ // uncomment the next line to refresh the session, so it will expire after thirteen minutes of inactivity, and not thirteen minutes after login //$_SESSION['login_time'] = time();
 echo ( "this session is ". $_SESSION['user_id'] ); 
//show rest of the page and all other content }
 ?>

Categorized in:

cookiesPHPsession

Tagged in:

, , , , , , , , ,