|
|
Posted by Gordon Burditt on 06/13/06 17:43
>I want users to select the duration time of their sessions. I'm able to
>do it by setting the PHPSESSID cookie duration. Is this reliable, or is
>it not recommended for some reason?
It's something you need to depend on the browser doing, so it's
unreliable. Don't depend on it for high security, especially against
tampering by users. Also don't depend on it for accurate timing;
a browser may only expire cookies when it starts up or shuts down
(not just opening/closing one window), and it uses the browser's
clock (which may or may not be set with the correct year) rather
than the server clock. If the user WANTS it to work correctly, and
others don't use that computer, you're probably OK.
It's also possible to track the expiration time of a session in the
session data in $_SERVER. If the session has expired, you make
them log in again. You might also want to track the LAST hit rather
than time of login (like you're doing by setting the cookie with a
new expiration time every time).
Gordon L. Burditt
Navigation:
[Reply to this message]
|