Tedd, I really like your solution. The idea of storing the expiration in the SESSION makes it easier for me and makes it more flexible. Someone else had provided a solution that would actually allow me to take it down to a user level if I needed to. I loved the idea for flexibility but would have required a major rewrite. Your idea gives me the flexibility and doesn't require any major rewriting - just a little tweaking.
Thanks! Floyd On Sep 14, 2010, at 12:58 PM, tedd wrote: > At 10:26 AM -0400 9/14/10, Floyd Resler wrote: >> We just got a client whose requirement is that user sessions expire after 30 >> minutes of inactivity. Our other clients are happy with not having their >> sessions expire during the work day (i.e. life is 8 hours). I am using a >> MySQL database to store the session data. My thought is to adjust the >> session expiration in the table based on the client currently logged in. Is >> this a good approach or would there be better ways to do it? And just to >> clarify: all clients use the same Web site. >> >> Thanks! >> Floyd > > Floyd: > > I don't know how others solve this, but my solution is pretty straightforward > (see code below). > > I require this code for every script that is in the secured area. Simply put, > if the user runs a script, then this script is also run. > > As a result, if the user is not logged in they are directed to the login > script. If the user is logged in, but has exceeded the expiration time due to > inactivity, then the user is redirected to the same login script with a GET > value to trigger the login script to report that they timed out due to > inactivity. > > I find it bad practice to tell a user that they are not logged in when they > did log in. It's better to explain why they have to log on again. > > Now, with respect to your storing the expiration time in the database, that > could be done easily enough by this script accessing the database, getting, > and setting the time-limit -- OR -- at the start of any logon have the script > pull the time-limit from the database and store that value in a SESSION. > Either way would work. > > In any event, this is what I do. > > Cheers, > > tedd > > ========== code > > <?php > > $redirect = 'http://yourdomain.com/admin/logon.php'; > > // standard security > > $secure = isset($_SESSION['security']) ? $_SESSION['security'] : 0; > > if ($secure == 0) // if admin is not logged in -- then redirect to the admin > logon > { > header("location:$redirect"); > exit(); > } > > // timed security > > $_SESSION['start'] = isset($_SESSION['start']) ? $_SESSION['start'] : 0; > > $timelimit = 15 * 60; // 15 minutes > $now = time(); > > if($now > $_SESSION['start'] + $timelimit) > { > logOff(); > $t = '?t=1'; > header("location:$redirect$t"); > exit(); > } > > $_SESSION['start'] = time(); > > // properly logged on pass here > > ?> > > > <?php //============ log off function ============= > // to destroy the current session > > function logOff() > { > $_SESSION = array(); > > if(isset($_COOKIE[session_name()])) > { > setcookie(session_name(), '', time()-86400, '/'); > } > session_destroy(); > } > > -- > ------- > http://sperling.com/ > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php