Posted by Rik on 07/17/06 00:21

romayankin@gmail.com wrote:
> I need to limit the session time for a particular user who is working
> on my site. I'd also like to extend the session time each time user
> performs some action (moves from one page to another). I've written
> the following code to accomplish this task
>
> /* Extending session */
> if(isset($_COOKIE['username'])) {
> setcookie ("username", $_POST['username'], time()+3600);
> }

Pardon, you let them post their username on every navigation?

> Variable $_COOKIE['username'] right after the authorization is
> completed.
> The problem is that I don't think this is a safe way to handle
> sessions. Perhaps I should use $_SESSION global array to store the
> username of the logged user?

Why not set the time of the last action in the $SESSION?

$timeout = 60 * 60; //60 minutes here, as long or short as you'd like
session_start();
if(!isset($_SESSION['time']) || $_SESSION['time'] + $timeout < time()){
//invalid, we'll destroy all data:
$_SESSION = array();
if (isset($_COOKIE[session_name()])) setcookie(session_name(), '',
time()-42000, '/');
if (isset($_COOKIE['username'])) setcookie('username', '', time()-42000,
'/');
session_destroy();
} else {
//valid, update times:
$_SESSION['time'] = time();
setcookie('username', $username, $_SESSION['time'] + $timeout, '/');
//You'll have to get that $username from somewhere in your actual
validation.
}

Grtz,
--
Rik Wasmus

[Back to original message]