AssamGuy AssamGuy - 27 days ago 4
PHP Question

Unset session after some time

I am building a online ticket booking site . In this I am doing the following things : The user searches the bus with their seat numbers . The database is updated with the seat numbers with

temp_seat_book = 'Y'
. If he books the ticket paying money his status will be updated to
final_ticket_book = 'Y'
. Now I want to delete the field whose
temp_seat_book = 'Y'
but
final_ticket_book = 'N'
. For this I need to delete the session_ids which is more than 10minutes old and
final_ticket_book = 'N'
. So how I can implement the background job?

Answer

Instead of doing a search for files (which involves more i/o ) etc, What is a session cookie: Session Cookie
A better way is to store a time stamp of the 'most recent activity' in the $_SESSION variable.
And updating the session data on every request (including the automated periodic ajax calls if any).

Lets say you want to unset the session after 10 minutes,

if (isset($_SESSION['most_recent_activity']) && 
    (time() -   $_SESSION['most_recent_activity'] > 600)) {

 //600 seconds = 10 minutes
 session_destroy();   
 session_unset();  

 }
 $_SESSION['most_recent_activity'] = time(); // the start of the session.

To avoid attacks like Session fixation: (Session Fixation is an attack that permits an attacker to hijack a valid user session) keep regenerating the session id periodically say for 5 mins (I would suggest to keep the regeneration time as well as session expire time a bit more). A more elaborate list of attacks: attack list.

if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
    } 
else if (time() - $_SESSION['CREATED'] > 600) {
    session_regenerate_id(true);    
    $_SESSION['CREATED'] = time();  
    }

Also, make sure session.gc-maxlifetime is set to the maximum expire time you want to use. You can do this

ini_set('session.gc-maxlifetime', 600)


Or Set it directly in your php.ini.

and also

session.cookie_lifetime :

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser.

But, destroying the session must be taken care at the server-side and not the client-side. Setting the session.cookie_lifetime set to 0 would make the session’s cookie behave the way a session cookie should i.e. that a session cookie is only valid until the browser is closed.

Although this method is a tad tedious, Its more elegant.

Ah, found the link which I had read a long time ago! : How do I expire a PHP session after 30 minutes?

Comments