954,585 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
2 Years Ago
0

how to set a session to destroy itself unset whatever in a certain amount of time

i found that your supposed to use this:
session.gc_maxlifetime
but i dont know how. does anyone know how i can destroy a log in session so the user wont be logged in 30 minutes later.
?

SKANK!!!!!
Posting Pro in Training
429 posts since Apr 2009
Reputation Points: 15
Solved Threads: 7
 
2 Years Ago
0

Hey.

Yea, you set the session.gc_maxlifetime variable in the php.ini file to limit the time a session can stay idle.

If you don't know where the php.ini file is, create a file with just: <?php phpinfo(); ?> and look for the"Loaded Configuration File" value. That will contain the path to the configuration file you need to edit.

Once you find it, just open it up, search for the variable, set it to 1800 (30 minutes), save, restart your HTTP server and you are good to go.

Atli
Posting Pro
540 posts since May 2007
Reputation Points: 93
Solved Threads: 70
 
2 Years Ago
0

dont know where the ini file is so i did the php info thing came up a huge table and i did find in my browser there is no loaded configuration file anywhere on the page. im lost

SKANK!!!!!
Posting Pro in Training
429 posts since Apr 2009
Reputation Points: 15
Solved Threads: 7
 
2 Years Ago
0

It should be very close to the top.
See the attached image. It shows where it is on my PC.

Attachments phpinfo_phpini_location.jpeg 44.77KB
Atli
Posting Pro
540 posts since May 2007
Reputation Points: 93
Solved Threads: 70
 
2 Years Ago
0

mines way different its a free host so i dont know if that changes anything 

disable_functions	exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block,socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,stream_socket_client,stream_socket_server,pfsockopen,stream_set_timeout,disk_total_space,disk_free_space,chown,diskfreespace,getrusage,get_current_user,set_time_limit,getmyuid,getmypid,dl,leak,listen,chgrp,link,symlink,dlopen,proc_nice,proc_get_stats,proc_terminate,shell_exec,sh2_exec,posix_getpwuid,posix_getgrgid,posix_kill,ini_restore,mkfifo,dbmopen,dbase_open,filepro,filepro_rowcount,posix_mkfifo,putenv,geoip_open,sleep	exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block,socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,stream_socket_client,stream_socket_server,pfsockopen,stream_set_timeout,disk_total_space,disk_free_space,chown,diskfreespace,getrusage,get_current_user,set_time_limit,getmyuid,getmypid,dl,leak,listen,chgrp,link,symlink,dlopen,proc_nice,proc_get_stats,proc_terminate,shell_exec,sh2_exec,posix_getpwuid,posix_getgrgid,posix_kill,ini_restore,mkfifo,dbmopen,dbase_open,filepro,filepro_rowcount,posix_mkfifo,putenv,geoip_open,sleep


thats like basically the only thing with ini in it. and loaded or loading the one u put my browser cant find the word at all

SKANK!!!!!
Posting Pro in Training
429 posts since Apr 2009
Reputation Points: 15
Solved Threads: 7
 
2 Years Ago
0

Ahh ok, so you don't control the server yourself. That complicates these sort of things.

An easy way around this is to just manually destroy the session in your scripts by keeping track of when the user is active and destroy the session when he is idle for to long.

<?php
session_start();
if(isset($_SESSION['last_seen']) && (time() - $_SESSION['last_seen']) > 1800) {
    session_destroy();
}
else {
    $_SESSION['last_seen'] = time();
}
?>

If you were to add this, or include it, at the top of every page, it would destroy the session if the user was idle for more than 30 minutes.

Atli
Posting Pro
540 posts since May 2007
Reputation Points: 93
Solved Threads: 70
 
2 Years Ago
0

thanks that makes sense! i have a question. is there a way to change it so all sessions are destroyed on everyones computer so they arent logged in when they havent been loading a page within 30 minutes even if they didnt get to load them page to destroy their session with the above code?

is that like a cron job thing or something?

SKANK!!!!!
Posting Pro in Training
429 posts since Apr 2009
Reputation Points: 15
Solved Threads: 7
 
2 Years Ago
0

Sure, but any method that would allow for that would require control over key areas of the server, which you are unlikely to have on a free, shared server.

If you did have the access, you could write a script that cleans out the temporary session files, stored in the directory specified in the session.save_path directive.(Or the OSs default temporary path.)
That could be set to execute periodically using crontab, or something equivalent.

But PHP automatically cleans up session data after the session expires, so there is really no need for that. Not to mention that your script might accidentally clear out sessions that aren't meant to be cleared out, whereas PHP won't.

The method I posted before, where I call session_destroy() would only be needed in the time-frame between the 30 minutes specified int he PHP script, and the time specified in the session.gc_maxlifetime directive. After that, PHP will automatically destroy the session.

Atli
Posting Pro
540 posts since May 2007
Reputation Points: 93
Solved Threads: 70
 
2 Years Ago
0

Sure, but any method that would allow for that would require control over key areas of the server, which you are unlikely to have on a free, shared server.

If you did have the access, you could write a script that cleans out the temporary session files, stored in the directory specified in the session.save_path directive.(Or the OSs default temporary path.) That could be set to execute periodically using crontab, or something equivalent.

But PHP automatically cleans up session data after the session expires, so there is really no need for that. Not to mention that your script might accidentally clear out sessions that aren't meant to be cleared out, whereas PHP won't.

The method I posted before, where I call session_destroy() would only be needed in the time-frame between the 30 minutes specified int he PHP script, and the time specified in the session.gc_maxlifetime directive. After that, PHP will automatically destroy the session.


ok what r the reasons to make sessions expire like after 30 minutes? is there a way for people to hack them or something? id ont understand why people do it

SKANK!!!!!
Posting Pro in Training
429 posts since Apr 2009
Reputation Points: 15
Solved Threads: 7
 
2 Years Ago
0

Yes, it is a security measure, limiting the window for a session hijacking .

There are ways for malicious persons to obtain your session cookie, which gives them the ability to hijack an open session. The less time the session is left idle, the less time the hijackers have to hijack it.
Not exactly bullet proof, but in cases like these our options are kind of limited.

Aside from that, this is also just a matter of clearing up the unused session data laying around on the server. Session are only meant to be temporary storage, lasting a single "session". If you leave for an extended period, once you return and resume what you were doing, that would be considered a new session. How long that period is, that is up to you.

Atli
Posting Pro
540 posts since May 2007
Reputation Points: 93
Solved Threads: 70
 
2 Years Ago
0

Yes, it is a security measure, limiting the window for a session hijacking .

There are ways for malicious persons to obtain your session cookie, which gives them the ability to hijack an open session. The less time the session is left idle, the less time the hijackers have to hijack it. Not exactly bullet proof, but in cases like these our options are kind of limited.

Aside from that, this is also just a matter of clearing up the unused session data laying around on the server. Session are only meant to be temporary storage, lasting a single "session". If you leave for an extended period, once you return and resume what you were doing, that would be considered a new session. How long that period is, that is up to you.

i dont think i set a session cookie ... unless every session made has a cookie

SKANK!!!!!
Posting Pro in Training
429 posts since Apr 2009
Reputation Points: 15
Solved Threads: 7
 
2 Years Ago
0

PHP uses cookies by default. If you don't know whether or not u use cookies to transfer the session ID, you almost definitely do.

Doesn't really matter in this context tho. The other option; using the query string, is no more secure. Less so, if anything.

Atli
Posting Pro
540 posts since May 2007
Reputation Points: 93
Solved Threads: 70
 
2 Years Ago
0

Duplicate... The forum software is on the fritz xD

Atli
Posting Pro
540 posts since May 2007
Reputation Points: 93
Solved Threads: 70
 
2 Years Ago
0

thanks i have no more questions u answered them all!

SKANK!!!!!
Posting Pro in Training
429 posts since Apr 2009
Reputation Points: 15
Solved Threads: 7
 

This article has been dead for over three months

Post: Markdown Syntax: Formatting Help
You
View similar articles that have also been tagged:
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed