Persistence of $_SESSION vars

[jscheuer1]

What governs the length of time a $_SESSION variable persists?

Like if I do:

PHP Code:

<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
   "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7">
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<?php 

// Define your username and password 
$username = "Some Name"; 
$password = "somepassword"; 
$theName = isset($_POST['txtUsername'])? $_POST['txtUsername'] : '';
$thePass = isset($_POST['txtPassword'])? $_POST['txtPassword'] : '';
if ((!isset($_SESSION['approved']) || $_SESSION['approved'] !== true) and ($theName != $username || $thePass != $password)) { 

?> 
<title>Login for Whatever</title>
<h1>Login</h1> 

<form name="form" method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> 
    <p>Username:
    <br><input type="text" title="Enter your Username" name="txtUsername"></p> 

    <p>Password:
    <br><input type="password" title="Enter your password" name="txtPassword"></p> 

    <p><input type="submit" name="Submit" value="Login"></p> 

</form> 

<?php 

} 
else { 
if (!isset($_SESSION['approved'])) {
  $_SESSION['approved'] = true;
}
?>
<title> . . .
Password/Session revealed content here . . .
<?php 

} 

?>
</body>
</html>

Is there anything I can do to limit access to - say one hour, after which one would have to login again? Or, better yet, can I expire the session after - say 20 minutes of inactivity within the password protected page(s)?

[traq]

It depends on server settings. I think the default is 180 minutes. You can run a cron job to clean them up more frequently, or I *think* you can change it in php.ini.

It's a somewhat confusing topic, as there are quite a few settings and functions that seem like what you want to do, but don't really have anything to do with it. Furthermore, even if it's "expired," session information isn't necessarily / automatically deleted.

for your application, it'd probably be easier to handle it within the script. When the user logs in, set the $_SESSION['approved'] variable, and something like $_SESSION['time_approved'] to note when that happened. (you could also reset the time_approved whenever the user interacts with the server.) Then, just check how long it's been since the user was active, and tell them to log in again if it's been more than twenty minutes.

[techietim]

for your application, it'd probably be easier to handle it within the script. When the user logs in, set the $_SESSION['approved'] variable, and something like $_SESSION['time_approved'] to note when that happened. (you could also reset the time_approved whenever the user interacts with the server.) Then, just check how long it's been since the user was active, and tell them to log in again if it's been more than twenty minutes.

Yes, you should do something along these lines.

An example would be:

PHP Code:

session_start();
if(isset($_SESSION['time']))
{
    if(time() - $_SESSION['time'] > 3600) //1 hour
    {
        header('Location: logout.php'); //force logout
        exit;
    }
}
$_SESSION['time'] = time(); //update last page load time
// Rest of code 


[jscheuer1]

I used a variation on this and it appears to work for my code. I replaced:

PHP Code:

<?php 
session_start(); 
?> 
<!DOCTYPE html PUBLIC "-/ . . .

with:

PHP Code:

<?php
session_start();
if(isset($_SESSION['time'])){
    if(time() - $_SESSION['time'] > 1200){ //20 mins
        unset($_SESSION['approved']);// force new login
    }
}
$_SESSION['time'] = time(); //update last page load time
// Rest of code 
?>
<!DOCTYPE html PUBLIC "-/ . . .

I think I need another isset to check that 'approved' is set before unsetting it.

I'm still wondering if and under what circumstances the session expires when the user closes the browser. It appears that it expires regardless of any time elapsed, except in Firefox (possibly others that support saving open pages) if the browser is closed with the page open and the user elects to save pages.

And I'm wondering, if the user visit a series of pages with session_start() at the beginning, does that reset the 180 minute (or whatever it's set to in php.ini) counter of session.cache_expire to zero each time?

[techietim]

That php.ini configuration option you are speaking of is for caching only. There is a page which describes how it works [1].

[1] - http://www.php.net/manual/en/functio...he-limiter.php

[djr33]

There are a few aspects to this answer:

1. $_SESSION remains the same until the session is changed. That is: $_SESSION is generated on every page load from a hidden php sessions database. $_SESSION itself is only an indirect bit of data.

2. A session is identified by the session id. This is usually stored in a cookie, but can be a get or post variable also (thus allowing non-cookie browsers to still access the site-- sessions can be used by basically anything). This id is the key to everything. session_start() supplies a default id, and then this will continue.

3. A session is ended when the browser decides to not continue it. This is usually when the window is closed (and reopened) or after some period of inactivity, such as 15 minutes (but it may certainly be longer).

4. The server also has some control in that at some point it will delete floating unused session data (from ids that haven't been accessed in a long time, so likely aren't attached to anyone any more) and the description above makes sense that it may be about 3 hours. The only relevance here is that your server will store extra data for a few hours. If you have thousands of users or are (probably unwisely) storing a lot of data in $_SESSION, then this may be a problem. Otherwise, I suggest ignoring it entirely.

5. If you wish to manually reset the session in PHP, the method to do this is not to change authorization or delete $_SESSION, but to change the session id. This will unattach the user to the current session (making their data just one of the extra floating bits on the server) and create a new session for them. This is more secure and simpler than using something like the time() example above, though there's no reason that can't work-- it's just not the normal way to do it. One advantage of doing it manually is that it can allow you to keep some values. For example, if you have $_SESSION['timezone'] and $_SESSION['loggedin'] you could keep the timezone value but delete the "loggedin" value... but in general, it's best to clear all of it. For info on this, since it can actually be hard to get it to work sometimes, just google how to reset a session's id.