session confusion

Question

I want to logout user if user's sessions are older then 30 mins .is this code correct?
if yes,can somebody explain this please? if no ,will you tell me whats the problem and solution? if i wont use this expiry time,site will be unsecure?

  if((mktime() - $_SESSION['started'] - 60*30) > 0){ 
    //logout, destroy session etc<br>
  } 
}else{
  $_SESSION['started'] = mktime(); 
}

Why do you want to do this? Do you really want to log out users just because they've been on your site 30 minutes? — Joe Phillips, Feb 11 '11 at 15:31
Do you mean you want to log the user out 30 minutes after they login, even if they've been active on the site for all of that 30 minutes? — Mark Baker, Feb 11 '11 at 15:32
no i want if sessions are older then 30 mins (to prevent session hijacking),(if they left the site and then returned to site) — cute, Feb 11 '11 at 15:32
Set the session.gc entries in your php.ini to time out after 30 minutes, don't try to do it in your PHP code — Mark Baker, Feb 11 '11 at 15:33
Heavily related: [How do I expire a PHP session after 30 minutes?](http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes) — Gumbo, Feb 11 '11 at 15:38

Déjà vu · Answer 1 · 2011-02-11T15:45:57.847

2

Just let PHP handle normally the sessions time-out. Set in php.ini

  session.gc_maxlifetime = 1440

to the number of seconds a session lives.
The default is 1440 seconds or 24 minutes.

To prevent session hijacking you could for instance

check the IP address of the session initiator and the IP from next queries (not perfect, and you may have a problem with people not having a fixed IP disconnecting and reconnecting within 24 mn with a different IP)
or add another cookie, set only once (never expire) having a likely-unique value (md5 hash). When the session is created you store that value within the session, and you check that value against the session one during the next exchanges (provided that the stealer will not copy that cookie).

edited Feb 11 '11 at 15:45

answered Feb 11 '11 at 15:39

Déjà vu

28,223
6
72
100

no need to set anything manually as it's already set by default. – Your Common Sense Feb 11 '11 at 15:43
@Colonel Shrapnel Thanks, I think it is part of the answer already (maybe not explained well enough :-) – Déjà vu Feb 11 '11 at 15:47

score 0 · Answer 2 · answered Feb 11 '11 at 15:33

0

use time() instead of mktime(), then it should be correct.

but I'd say don't rely on $_SESSION only... There are more secure ways, i.e. database-based session management

answered Feb 11 '11 at 15:33

david.wosnitza

763
4
10

Why would `$_SESSION` be insecure? – Tim Feb 11 '11 at 15:38
how to do with database-based session ? will you explain? – cute Feb 11 '11 at 15:39
@Col. Shrapnel - mktime throws `E_STRICT` when used without parameters as of PHP5.1. @Tim Nordenfur: erm my bad. it's not in secure, makes it only harder to check how many sessions are active, etc. @cute check http://www.developertutorials.com/tutorials/php/saving-php-session-data-database-050711-1058/ – david.wosnitza Feb 11 '11 at 15:54

mario · Answer 3 · 2011-02-11T15:45:48.453

0

First you should use time() instead of mktime(), because you are not converting from date+time components anyway.

And then you should rewrite the condition into something more readable:

 if ( time() > $_SESSION['started'] + 60*30 ) {

Depending on your use case you might also think about not using the 'started' time, but maybe 'lastaccess' for example. (You could also pre-define a 'destroy' time when you create the session, thus simplifying the logic.)

edited Feb 11 '11 at 15:45

answered Feb 11 '11 at 15:34

mario

144,265
20
237
291

what you mean ,when user logs in i'll have to add $SESSION['lastvisit'] = time(); or what? – cute Feb 11 '11 at 15:37
@cute: If you want to use a $_SESSION['lastvisit'], then you would have to update the field on *every page access*. – mario Feb 11 '11 at 15:38
ok and what this string means? $_SESSION['started'] + 60*30 > time() . please explain (if session +1800 > time ?? if yes then why? – cute Feb 11 '11 at 15:43
@cute: No, it was wrong. It needs to be the other way round. If the current time() passes > the start+30min time, then the condition should match. -- Calc example: Let's assume current time were 0, then the first test would be 0>0+1800, but after 2000 seconds passed, the calculation would be 2000>0+1800. – mario Feb 11 '11 at 15:46

score 0 · Answer 4 · answered Feb 11 '11 at 15:35

"I want to logout user if user's sessions are older then 30 mins .is this code correct? "

No, your current code would disconnect the user if he didn't act since 30min. you need:

}else if(!isset($_SESSION['started'])){
  $_SESSION['started'] = mktime(); 
}

score -1 · Answer 5 · answered Feb 11 '11 at 15:41

-1

PHP already takes care of that
Session will be expired after 24 minutes of inactivity by default.
You do not need to worry.

answered Feb 11 '11 at 15:41

Your Common Sense

156,878
40
214
345

session confusion

5 Answers5