Posted by totalstranger on 07/17/06 12:48

On or about 7/16/2006 8:55 PM, it came to pass that s a n j a y wrote:
> romayankin@gmail.com wrote:
>> I need to limit the session time for a particular user who is working
>> on my site. I'd also like to extend the session time each time user
>> performs some action (moves from one page to another). I've written the
>> following code to accomplish this task
>>
>> /* Extending session */
>> if(isset($_COOKIE['username'])) {
>> setcookie ("username", $_POST['username'], time()+3600);
>> }
>>
>> Variable $_COOKIE['username'] right after the authorization is
>> completed.
>> The problem is that I don't think this is a safe way to handle
>> sessions. Perhaps I should use $_SESSION global array to store the
>> username of the logged user?
>>
>
> In my opinion, all you should store in a cookie is session-id.
> Everything else, you store on server in either global session veriable
> or in a database.
Agreed.
Set a session variable with php time() and do your own timeout.

if (isset($_SESSION['$Server_time']) && (time() -
$_SESSION['$Server_time']) > 600)
$_SESSION = array(); //break this session and restart when over 10 minutes
$_SESSION['$Server_time'] = time(); //time in seconds

[Back to original message]