Posted by Gordon Burditt on 01/15/06 23:11

>I have a website where users can log into. This users sessions as I believe
>most people use when implementing a login section of a website (each php
>page first checks a valid parameter has been set to authorise that the user
>has logged in and if it is not found it redirects the user to the login
>page).
>
>I have my code and it works fine, however on the live server, after a period
>of inactivity the user will be logged out automatically.
>However on my test server this is not the case and the user remains logged
>no matter how long they have no activity for.
>The exactly the same code is in place on both servers, just the servers are
>from different providers so I assume set up differently.

Which behavior do you consider to be a problem? You may not be
able to lengthen the time a session is kept alive. Hits on other
people's pages (by completely unrelated users) may cause expiration
of your sessions.

>What could be set up differently on the servers to be causing this
>difference in behaviour and what can I do to override it? In an ideal world
>I would be able to control the amount of inactive time before I user is
>logged out automatically.

Look at the php.ini settings related to session timeout, such as
session.gc_maxlifetime and session.cookie_lifetime. You want these
settings to allow at least as much time as you want sessions to
last. PHP's probabalistic expiration hardly ever guarantees that
a session will expire. You may set session.gc_maxlifetime to 4
hours but you can't really complain if a session is found to be
alive after 9 years.

If you want precise timeouts, e.g. you want the session intact if
it's 3 hours, 59 minutes, and 59 seconds old, but it must be unusable
if it's over 4 hours old, I suggest doing it yourself: put a
timestamp in the session data. If the user is not logged in OR THE
TIMESTAMP IS TOO OLD, redirect them to the login page. The login
page sets the timestamp. If you want "expiration since the last
hit", each hit should update the timestamp.

Gordon L. Burditt

• Next in forum: Re: PHP sessions - user login webpage - preventing autologout due to inactivity
• Prev in forum: Re: PHP sessions - user login webpage - preventing autologout due to inactivity
• Thread view: Re: PHP sessions - user login webpage - preventing autologout due to inactivity

[Reply to this message]