By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
434,741 Members | 2,004 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 434,741 IT Pros & Developers. It's quick & easy.

PHP sessions - user login webpage - preventing autologout due to inactivity

P: n/a
Hi there,

I have a website where users can log into. This users sessions as I believe
most people use when implementing a login section of a website (each php
page first checks a valid parameter has been set to authorise that the user
has logged in and if it is not found it redirects the user to the login
page).

I have my code and it works fine, however on the live server, after a period
of inactivity the user will be logged out automatically.
However on my test server this is not the case and the user remains logged
no matter how long they have no activity for.
The exactly the same code is in place on both servers, just the servers are
from different providers so I assume set up differently.
What could be set up differently on the servers to be causing this
difference in behaviour and what can I do to override it? In an ideal world
I would be able to control the amount of inactive time before I user is
logged out automatically.

I hope this makes sense and I really hope someone can advice.

Kind regards

Dave
Jan 15 '06 #1
Share this Question
Share on Google+
3 Replies


P: n/a
>I have a website where users can log into. This users sessions as I believe
most people use when implementing a login section of a website (each php
page first checks a valid parameter has been set to authorise that the user
has logged in and if it is not found it redirects the user to the login
page).

I have my code and it works fine, however on the live server, after a period
of inactivity the user will be logged out automatically.
However on my test server this is not the case and the user remains logged
no matter how long they have no activity for.
The exactly the same code is in place on both servers, just the servers are
from different providers so I assume set up differently.
Which behavior do you consider to be a problem? You may not be
able to lengthen the time a session is kept alive. Hits on other
people's pages (by completely unrelated users) may cause expiration
of your sessions.
What could be set up differently on the servers to be causing this
difference in behaviour and what can I do to override it? In an ideal world
I would be able to control the amount of inactive time before I user is
logged out automatically.


Look at the php.ini settings related to session timeout, such as
session.gc_maxlifetime and session.cookie_lifetime. You want these
settings to allow at least as much time as you want sessions to
last. PHP's probabalistic expiration hardly ever guarantees that
a session will expire. You may set session.gc_maxlifetime to 4
hours but you can't really complain if a session is found to be
alive after 9 years.

If you want precise timeouts, e.g. you want the session intact if
it's 3 hours, 59 minutes, and 59 seconds old, but it must be unusable
if it's over 4 hours old, I suggest doing it yourself: put a
timestamp in the session data. If the user is not logged in OR THE
TIMESTAMP IS TOO OLD, redirect them to the login page. The login
page sets the timestamp. If you want "expiration since the last
hit", each hit should update the timestamp.

Gordon L. Burditt
Jan 15 '06 #2

P: n/a

"Gordon Burditt" <go***********@burditt.org> wrote in message
news:11************@corp.supernews.com...

Not yet having a moment to look into your suggestions, the actual behaviour
my client complained about was that they were being logged out too quickly.
Therefore they had circumstances where they typed a whole screen of text,
pressed a save button and then found they were logged out.

They probably would not care if it took a week to log out, but I would
certainly like be able to extend it to cover there working day (8 hours or
so) rather then the current 1.5 hours it seems to be.

So any advice in this direction is welcome (but of course I do want to
establish a general understanding for better control).

Cheers

Dave
Jan 15 '06 #3

P: n/a
d
"Dave Smithz" <da******@blueyonder.co.uk> wrote in message
news:x6*********************@fe3.news.blueyonder.c o.uk...

"Gordon Burditt" <go***********@burditt.org> wrote in message
news:11************@corp.supernews.com...

Not yet having a moment to look into your suggestions, the actual
behaviour my client complained about was that they were being logged out
too quickly. Therefore they had circumstances where they typed a whole
screen of text, pressed a save button and then found they were logged out.

They probably would not care if it took a week to log out, but I would
certainly like be able to extend it to cover there working day (8 hours or
so) rather then the current 1.5 hours it seems to be.

So any advice in this direction is welcome (but of course I do want to
establish a general understanding for better control).

Cheers
Why don't you just have your site save a draft of the text every minute or
so. You could have some javascript that copies out the contents of the form
the user is editing into an identical form in a hidden iframe, then submit
the hidden form back to itself. Hey presto - your draft has been saved, and
the session is used once more.

dave
Dave

Jan 16 '06 #4

This discussion thread is closed

Replies have been disabled for this discussion.