adams adams - 5 months ago 30
PHP Question

php login session timeout error

I am creating a login script and when a user logins, he will be able to stay 3 hours before he is logged out by the system.

The following is in my login.php

....
$_SESSION['dgUserLoggedIn'] = true;
$_SESSION['timeout'] = time();
....


the login-check.php which is at the top of every page which needs authentication:

function isLoginSessionExpired() {
$login_session_duration = 10800;
$current_time = time();
if(isset($_SESSION['timeout']) and isset($_SESSION['dgUserLoggedIn'])){
if(((time() - $_SESSION['timeout']) > $login_session_duration)){
session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
$_SESSION['timeout'] = time(); // update creation time
return true;
}
}
return false;
}
if(isset($_SESSION["dgUserLoggedIn"])) {
if(isLoginSessionExpired()) {
header("Location: /core/logout.php");
}
}


With the above code the user logs out automatically after around 30 minutes, how can I make sure the user can stay logged in 3 hours and every page refresh or visiting the time updates itself.

Below is my session-setup.php

// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);

// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');

// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');

// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);

// server should keep session data for AT LEAST 1 hour
ini_set('session.gc_maxlifetime', 3600);

// each client should remember their session id for EXACTLY 1 hour
session_set_cookie_params(3600);

// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);

session_start();

Answer

You could also try changing the value at runtime using ini_set:

ini_set('session.gc_maxlifetime', '10800');

or

You can change this line in your php.ini file.

session.gc_maxlifetime = 1440

Update: it seems to be possible, so i stand corrected

php_value

session.gc_maxlifetime = 10800

i hope it will be helpful