session help

dugawug

hi,
confused as what to do about sessions being relative to server time. that is, i have a session set to expire after five minutes of inactivity, but that time is relative to the server time. so problem is people in other time zones and how they may never be able to start a session if their local time is past the server's.

see my thread here:
http://www.phpbuilder.com/board/showthread.php?s=&postid=10523798#post10523798

basically, i thought why not get the user's local time, add five minutes and check against that? but i'm finding PHP doesn't retrieve client side time? is that right?

what do other's do who require sessions that work worldwide? i thought this should be much simpler.

drawmack

session variables are timestamped by the server with the server's time. The person's local time never even comes into play so this is a mute point. Also since php is a server side langauge any php time function also grabs server and not client time.

dugawug

so you're saying that sessions never take into account a client's local time?

strange because i've played with some session code:

 <?php 
session_set_cookie_params(5); 
session_start(); 

if( isset($_SESSION['foo']) ) 
    echo "FOO SET!"; 
else 
{ 
    echo "NO FOO!"; 
    $_SESSION['foo']="mungbah!"; 
} 

echo '<br><br>'; 

echo '<a href="'.$_SERVER['SCRIPT_NAME'].'">RELOAD</a>'; 
?>

and found odd differences when trying to expire a cookie after five seconds. basically, it was not expiring after five seconds...more like a minute. then i noticed there was about a minute difference between my server and my local and was almost SURE that this was the problem.

but if it were all based on server time, how could i have had that problem?

i guess i'll play with this some more in the meantime.

p.s. check the link above for that thread. the guy there too believe that local time was involved and you had to write a complex script to compare server time with server time.

drawmack

The netscape cookie reference page located at http://wp.netscape.com/newsref/std/cookie_spec.html states the following about the expires attribute:

expires=DATE
The expires attribute specifies a date string that defines the valid life time of that cookie. Once the expiration date has been reached, the cookie will no longer be stored or given out.

The date string is formatted as:
Wdy, DD-Mon-YYYY HH:MM:SS GMT
This is based on RFC 822, RFC 850, RFC 1036, and RFC 1123, with the variations that the only legal time zone is GMT and the separators between the elements of the date must be dashes.

expires is an optional attribute. If not specified, the cookie will expire when the user's session ends.

This seems to suggest that the expires parameter, while set by the server, is actually used by the client. Once the client reaches the epoch then it no longer sends the cookie, however the server will continue to use the cookies as long as the client sends them.

Also note that GMT is the only valid timezone. So the client should be converting from the client's local timezone to gmt before deciding if the cookie should be sent.

This could cause the problems you are talking about and correcting this error is a pretty intense problem better solved in a tutorial then in message board format. Basically you would have to grab the client's time, which probably involves some client side scripting, then grab the client's time zone with some more client side scripting. After you have those you could calculate the offset between the server's time and the client's time. Then this offset could be used to determine how long the session timeout should be.

It's a lot of work and I can see very few examples that are worth the overhead. One of the few examples would be a paypal type site where if the person walks away and someone else walks up the session should expire pretty quickly. Though for most sites, since sessions expire when the browser is closed, it would not be a huge deal to just set the session expire high enough to deal with this like 24 hours.

dugawug

now i'm pretty confused...first you said client time had nothing to do with it, now you're saying i have to get the local time and work with it?

this all seems so complicated for such a simple thing. i just want a session and to have it expire after a specific time of inactivity to anyone no matter what time zone they are in.

i can't believe such a simple thing requires so much effort!??

can anyone tell me it doesn't before i go coding away?

drawmack

Originally posted by dugawug
now i'm pretty confused...first you said client time had nothing to do with it, now you're saying i have to get the local time and work with it?

I'm saying that I now believe my initial statement to be wrong. Based on my knowledge that the server set the expire time I developed the supposition that the server also used this time to decide when to stop accepting a cookie. However, after reading the netscape article quoted in my previous post I now believe that the browser decides if it should send the cookie based on the expire parameter so it does use the client time.

this all seems so complicated for such a simple thing. i just want a session and to have it expire after a specific time of inactivity to anyone no matter what time zone they are in.

The expire parameter is irrelevent to timezone. All expire parameters are supposed to be used as if they are set in GMT. So timezone conversions should happen on the clientside for you. However if the client's clock is a couple of minutes off that could affect the life of the cookie.

i can't believe such a simple thing requires so much effort!??

Welcome to programming. As Turin said "programming is 90% boring, redundancy, 14.5% bug fixing and 0.5% fun stuff.

can anyone tell me it doesn't before i go coding away?

I would say test it more fully before you begin codding it here are some tests you can run:
1) Set your clock five minutes slower then the server and set the cookie to expire one minute ago. If the expire is based on the client time this cookie will be active for 4 minutes.

2) Set your clock find minutes faster then the server and set the cookie to expire in six minutes. If the expire is based on the client time this cookie will be active for 1 minute.

3) Put your computer into a different timezone with your OS timezone setting and allow the clock to be adjusted accordingly.

4) Repeat steps 1 and 2, however add the hours for the time zone difference into the time differences. (For example if you move one time zone into the future then for step one set your clock 55 minutes slower then the server) Note if the timezone change, and appropriate time change on your machine, affects the life of the cookies. If the life of the cookie is not affected then timezone is not a factor only the person's clock being wrong is.

My supposition is that steps 1 & 2 will turn out that the time change affects cookie life and step 4 will turn out that timezone does not affect cookie life.

There is another way around this, which I implemented at a previous job. Grab the user's localtime and timezone. Convert this into a difference between gmt on the server and gmt on the client. Then if that absolute difference is larger then x post a page that informs them so adjust their computer's time accordingly.

dugawug

drawmack,
thanks so much...i'll play with these ideas.
another person on that previous thread thought that cookies between different time zones are not compensated for, thus i thought i had to do up some custom code to take that into consideration...
glad to hear this may not be the case!
thanks again