session, maybe stupid question...

kante

i set up my php to session_autostart ON..

i noticed the session never expires... when i do not log out....

example if i turn off the PC without loggin out the day after i'm still logged in...
the default value of session_expire is 180 and i didn't change it...

well' i'm checking on the value of session_expire() , it is alwyas 180
at every page load.... but maybe it is normal ince i have session_autostart...
the session time is always initialized to 180 at every load of php page...

so.... how to make it expire?
should i turn off the session_autostart? or there's something else I'm missing...

another question.... leaving session_autostart set On, does it implies any security issue?

Thanks

bradgrafelman

kante wrote:
i noticed the session never expires... when i do not log out....

example if i turn off the PC without loggin out the day after i'm still logged in...
the default value of session_expire is 180 and i didn't change it...

How do you know that the session didn't expire?

kante wrote:
well' i'm checking on the value of session_expire() , it is alwyas 180

There is no native PHP function called session_expire(), so I have no idea what you mean by that - is this a custom function?

Also, there is no countdown anywhere - your browser is what handles the expiration of the session cookie, not PHP.

kante wrote:
leaving session_autostart set On, does it implies any security issue?

I don't know about any security issues, but it might impose performance issues on a busy site. Why automatically start a session on every single PHP pageload regardless of whether it might be needed or not?

kante

you re right the only function is

session_cache_expire
This has nothing to do with lifetime of a session

as manual says, I mess up with this...

to answer you.

"How do you know that the session didn't expire?"

i know that session expire because i perform a check on SESSION vars i previously stored, with a SQL query to check if the user is granted to see the page....
when i turn off the PC without loggin out,... and the day after turn on and load a page without passing for log in, i found myself logged ... the SESSION vars are still populated with their old values... maybe when session expires.... it doesn't flush alla the $SESSION vars?

"Why automatically start a session on every single PHP pageload regardless of whether it might be needed or not?"

if not...how to keep track of a user logged in those pages, without session?

bradgrafelman

First of all, the session.cache_expire setting has nothing to do with how long a session cookie should last. From the manual:

session.cache_expire specifies time-to-live for cached session pages in minutes

Thus, that directive only instructs browsers how long they should cache session-related pages before requesting a new copy from your server.

The PHP directive that specifies how long session cookies should last is [man]session.cookie_lifetime[/man]. The session cookie's expiration datetime value is set when the cookie is first generated, however - it's not updated with each page load.

If you're trying to implement a mechanism that automatically logs users out after a certain period of inactivity, then you need to do this yourself in your code. For example, you could store a timestamp value in the session data, and on each page request you'd check to see if the current timestamp is greater than X seconds (where X is whatever you desire) and, if so, destroy the session and force the user to log in again.

EDIT: Forgot to answer...

kante wrote:
if not...how to keep track of a user logged in those pages, without session?

I didn't say not to use sessions altogether, I just asked why sessions need to be automatically started for every single page request. Can you say that every single .php file on your site (now and in the future) requires session data? Most can not, thus the default value set by the developers of PHP is for session.auto_start to be disabled.

kante

EDIT: Forgot to answer...

i need the session started automatically because i noticed that if i don't, i have to start it manually in every page i like to check on the array $SESSION's values.
Or else $SESSION['myvar'] will be empty....

so since i need to check if a user has been logged and i do this by a SQL query like

(Just for example)
SELECT *FROM authorizedUsers WHERE login=$_SESSION['username']

and i need to include this code at the top of every page... or else a user who comes to know the url of a internal page could see the contents bypassing the login....

since this is included in every page of this site.... i need to start session in every page....

is there a better way for this? do I miss something?

fro the session expiration following your suggestion i found this code:

session_start();

   if(!session_is_registered("session_count")) {
         $session_count = 0;
         $session_start = time();
         $_SESSION['session_count']=$session_count;
         $_SESSION['session_start']=$session_start;
   } else {
         $session_count++;
   }

   $session_timeout = 20; // 30 minutes (in sec)

   $session_duration = time() - $_SESSION['session_start'];
   if ($session_duration > $session_timeout) {
       session_unset();
       session_destroy();
       $_SESSION = array();
        die("SIGN OUT");   
		   //header("Location: /login_page.php?expired=yes");  // Redirect to Login Page
   } else {
       $session_start = time();
       $_SESSION['session_start']=$session_start;
   }

as u can see even here... u need to start session... or else $_SESSION['session_start'] will be void.... n' the script won't work.....

so finally why bothering starting session in all pages? when we can use session_autostart?😕