0

For example, if I want to set up a trigger that fires every hr passed since the current time, how would I implement that?

I am using PHP to write my backend code, essentially, if a user logged in, I give a sessionID, if there's no activity every hr , then session timeout. I think it needs to be implement in PHP right?

hakre
  • 193,403
  • 52
  • 435
  • 836
lilzz
  • 5,243
  • 14
  • 59
  • 87
  • 1
    Hi, @lilzz. What have you tried? We need some context here. – Jonathan M Oct 04 '11 at 18:24
  • 1
    you need to describe what you are trying to accomplish in more detail. – dqhendricks Oct 04 '11 at 18:25
  • implementing a timeout check for a given session in PHP. It needs to be checked every 1hr once the session started for non-activity. – lilzz Oct 04 '11 at 18:30
  • possible duplicate of [cleanup php session files](http://stackoverflow.com/questions/654310/cleanup-php-session-files) - just ensure your session files get deleted after 30 minutes of inactivity. You don't need a trigger. – hakre Oct 04 '11 at 18:41

4 Answers4

4

You use the cron job scheduler to run your script.

For Windows, you can try the Windows Task Scheduler. It provides similar functionality.

Actually, you don't need cron to do this.

Since you want to end the session if the user has been inactive for one hour, how about you do this.

  • When the user visits any page, update a $_SESSION variable with the current time.
  • Once the user browses to a new page, check if the current_time - last_time > 1 hour. If so, end the session and redirect them.
Blender
  • 289,723
  • 53
  • 439
  • 496
2

You should do this with cron scripts, not in PHP. Having PHP scripts running for hours is generally bad practice.

rid
  • 61,078
  • 31
  • 152
  • 193
1

either, set up a cron job that runs hourly, or instead set up code that retroactively calculates what needed to be calculated since the previous visit.

it would help emmensly if you were to describe what you are trying to accomplish in more detail.

dqhendricks
  • 19,030
  • 11
  • 50
  • 83
1

No need for job scheduling here. When you give them a session ID, store the session ID in a table in your database. Then do this upon every single request:

if session id row is found
    if current time - last updated time > 1 hour
        Do not allow access. Session is expired
    else
        update timestamp of session id row, setting it to the current time
        allow access
    end
end

Essentially: every time the user requests something, you can update a timestamp field in that session's row in your database. If the current time - last updated time > 1 hour, then the session is invalid and you should not allow the access.

If you wanted to schedule a job to go delete or otherwise deactivate rows that have expired, that's fine, but your session management scheme should not depend on that.

That said, if you don't have to roll your own session management, don't. It's fraught with lots of little details that are easy to overlook, and could result in leaving your site vulnerable. If you still need to roll your own, check out some of the OWASP materials about session management and authentication:

https://www.owasp.org/index.php/Session_Management_Cheat_Sheet

Shizzmo
  • 16,231
  • 3
  • 23
  • 15
  • 1
    One of those 'little details' that's vulnerable in this example (depending on your security requirements): the session could be held open indefinitely. – Shizzmo Oct 04 '11 at 18:47