total session confusion

dugawug

hello,
so i'm coding a website using PHP session variables to keep a person logged in or out.

okay, so my problem is i want to set the length of how long the session lasts. i can't access php.ini due to my hosting company.
so in my code, isn't there a way to set the session to automatically expire after X minutes?

first does PHP end a session after X minutes of inactivity or after X minutes period? that's the first question, but after tinkering, it seems to end a session after X minutes of user inactivity.

i tried coding in:
session_set_cookie_params(5);

after each:
session_start();

throughout the app.

hoping this would set the session length to just five minutes.
(or ending after 5 minutes of inactivity)

it seemed to work, but only on the first page that sets the session.??? not on other pages!??

i'm really confused. i tried reading the manual and it seems unclear on this topic.

help anyone?

😃

Drakla

session_set_cookie_params has to be used before the session is started - also the parameter is in seconds, so you'd have to do it for 300 seconds for 5 minutes.

Let me know if it works, and set this to resolved if it does.

dugawug

well, thanks, but that doesn't help much honestly:

for one, my first question, if you set a session to expire in 5 minutes using session_set_cookie_params(300), does it expire 5 minutes after the session begins, or 5 minutes after the user is inactive???

also, like i first stated, i tried what you recommended, using session_set_cookie_params() but it didn't seem to work. i had it set to 5 (which i thought was minutes) and certain pages still would never expire the session.
(again, knowing if it's a total time till expiration or after a time of inactivity here is crucial)

plus, i call session_start() on each page that contains the session, so does session_set_cookie_params() have to be put before each instance of session_start() or just at the first instance?

i tried it at every instance.

any more help is appreciated!

Drakla

You could just experiment, but look - I've done it for you

<?php
session_set_cookie_params(5);
session_start();

if( isset($_SESSION['foo']) )
	echo "FOO SET!";
else
{
	echo "NO FOO!";
	$_SESSION['foo']="mungbah!";
}

echo '<br><br>';

echo '<a href="'.$_SERVER['SCRIPT_NAME'].'">RELOAD</a>';
?>

Run it and press reload every 1 second and you'll notice that the session data is permanently set, wait 6 seconds and it's gone again - so the session starts from scratch every time the page is sent. If it's such a worry put a termination time into the session the very first time it's set, then check it in each page.

dugawug

thanks but this is getting weird.
check this out, this is your script to the "T" BUT I subbed in a 1 instead of 5 for the seconds of duration:

url used to reside here

the crazy thing is, this doesn't expire after one second, (five didn't expire after five seconds either)...but with a one, it DOES expire, but it seems to expire after one MINUTE???

check it out...i don't get it!???

Drakla

on my computer it was timing out after about 10 seconds - can you put an echo statement in there to show the time on the server and compare that to your local computer - that could well be the solution to this whole affair as loads of people have had trouble setting cookies using servers half way across the world where they expire immediately because to them now + 1 hour is actually in your past.

dugawug

okay, thanks, i got a lot cleared up here.

my local has about a 1min 9sec difference between the server. hence:

session_set_cookie_params(1);

was behaving more like one minute to me than one second.

so let me ask you this...you were mentioning time differences across the world and those becoming problems.

is this cookie setting only going to work for people in the Pacific time zone?

would someone in another time zone/country experience this cookie setting differently? meaning would the time zone difference either cause the cookie to expire immediately or expire one or more hours too late?

wouldn't this somehow be accounted for already? i mean, what, do you have to write a custom script to get the user's local time and adjust the cookie somehow to that?

Drakla

Hi Dugawug - sorry for the late reply - It must have gone off the board.

Yeah, from what I've heard about these parts cookies will for some people, depending on the location of them to the server, expire the instant they're set, making them useless.

The best thing to do is put the server time inside the cookie and check that against the server's own time for expiry - here's a little test code I did that you might like.

Set the new cookie, then the time in it is valid for 2 seconds - keep refreshing and it'll say "no errors" then after 2 seconds the time will be invalid, and it'll tell you as much, then after the actual cookie lifetime has died it'll disappear altogether. So for a non-local server set the cookie lifetime to something huge, like a few days, not the six seconds I've put here. I've left my comments in as I faff up to myself so I know what they hell I was on about at the time

<?php
/*	Ok I want to make a cookie that has an expire time value as piece of the data,
	so I can say expire in 3 days time - and put in a unix time, then to check that
	time hasn't been tampered with I need a checksum, an encryped value so I know it's valid

So the cookie would contain
username
expire time
checksum

See the problem?  You could get your own valid expire time then throw in any username to get
access, so you have to account for that in the checksum, too.
*/
$cookie_errors=array( 0 => "NO ERRORS", 1 => "NO COOKIE", 2 => "TIME EXPIRED", 3 => "CHECKSUM BEFOULED");


$result=check_cookie();

if( @$_REQUEST['newcookie'] ) set_cookie();
if( @$_REQUEST['delcookie'] ) del_cookie();

echo "<br>RESULT: ".$cookie_errors[$result];

echo '<pre>';
print_r($_COOKIE);
echo '</pre>';


function check_cookie()
{
	if( !isset($_COOKIE['user']) || !isset($_COOKIE['eTime']) || !isset($_COOKIE['checkSum']) )
	{
		return 1;
	}

$user=$_COOKIE['user'];
$eTime=$_COOKIE['eTime'];
$checkSum=$_COOKIE['checkSum'];

$pass="pumpy";

$myCheckSum=md5( $eTime.md5($pass) );

if( $myCheckSum != $checkSum) return 3;

if( $eTime<time() ) return 2;

return 0;
}

function set_cookie()
{
	if(@$_REQUEST['sessiononly'])
		$cookiePhysLife=0;
	else
		$cookiePhysLife=time()+6;

$cookieExpire=2;

$name="Damo";
$pass="pumpy";

$expires=time()+$cookieExpire;	// they expire in 15 seconds
$myCheckSum=md5( $expires.md5($pass) );

setcookie('user', $name, $cookiePhysLife);
setcookie('eTime', $expires, $cookiePhysLife);
setcookie('checkSum', $myCheckSum, $cookiePhysLife);

header("Location: $_SERVER[SCRIPT_NAME]"); exit;

if(@$_REQUEST['sessiononly'])
	echo "TEMPOSS ";

echo "COOK COOK!!";
}

function del_cookie()
{
	setcookie('user', "foo1", time()-100000);
	setcookie('eTime', "foo2", time()-100000);
	setcookie('checkSum', "foo3", time()-100000);

header("Location: $_SERVER[SCRIPT_NAME]"); exit;
}
?>
<form action="<?=$_SERVER['PHP_SELF']?>" method="post" enctype="application/x-www-form-urlencoded" name="form1">
  <input name="newcookie" type="submit" id="newcookie" value="New Cookie">
  <input name="delcookie" type="submit" id="delcookie" value="delete cookie">&nbsp;
  <label for="sessiononly">session only</label>
  <input name="sessiononly" type="checkbox" id="sessiononly" value="yes">
  <a href="<?=$_SERVER['SCRIPT_NAME']?>">Reload</a>
</form>

dugawug

Holy Moly, Drakla!
That's some script. Well thanks to you on my behalf or on anyone else who ends up benefiting from that.
You == "Da Man" 😃

Yanco

Hmm nice really..
But what if the user's browser has cookies disabled? :queasy:
So all the cookies must be stored on the server side, right?
I was using the $_SESSION('') variables to do so, but I can't force it to expire when I want..