Tedd,
I really like your solution. The idea of storing the expiration in the
SESSION makes it easier for me and makes it more flexible. Someone else had
provided a solution that would actually allow me to take it down to a user
level if I needed to. I loved the idea for flexibility but would have required
a major rewrite. Your idea gives me the flexibility and doesn't require any
major rewriting - just a little tweaking.
Thanks!
Floyd
On Sep 14, 2010, at 12:58 PM, tedd wrote:
> At 10:26 AM -0400 9/14/10, Floyd Resler wrote:
>> We just got a client whose requirement is that user sessions expire after 30
>> minutes of inactivity. Our other clients are happy with not having their
>> sessions expire during the work day (i.e. life is 8 hours). I am using a
>> MySQL database to store the session data. My thought is to adjust the
>> session expiration in the table based on the client currently logged in. Is
>> this a good approach or would there be better ways to do it? And just to
>> clarify: all clients use the same Web site.
>>
>> Thanks!
>> Floyd
>
> Floyd:
>
> I don't know how others solve this, but my solution is pretty straightforward
> (see code below).
>
> I require this code for every script that is in the secured area. Simply put,
> if the user runs a script, then this script is also run.
>
> As a result, if the user is not logged in they are directed to the login
> script. If the user is logged in, but has exceeded the expiration time due to
> inactivity, then the user is redirected to the same login script with a GET
> value to trigger the login script to report that they timed out due to
> inactivity.
>
> I find it bad practice to tell a user that they are not logged in when they
> did log in. It's better to explain why they have to log on again.
>
> Now, with respect to your storing the expiration time in the database, that
> could be done easily enough by this script accessing the database, getting,
> and setting the time-limit -- OR -- at the start of any logon have the script
> pull the time-limit from the database and store that value in a SESSION.
> Either way would work.
>
> In any event, this is what I do.
>
> Cheers,
>
> tedd
>
> ========== code
>
> <?php
>
> $redirect = 'http://yourdomain.com/admin/logon.php';
>
> // standard security
>
> $secure = isset($_SESSION['security']) ? $_SESSION['security'] : 0;
>
> if ($secure == 0) // if admin is not logged in -- then redirect to the admin
> logon
> {
> header("location:$redirect");
> exit();
> }
>
> // timed security
>
> $_SESSION['start'] = isset($_SESSION['start']) ? $_SESSION['start'] : 0;
>
> $timelimit = 15 * 60; // 15 minutes
> $now = time();
>
> if($now > $_SESSION['start'] + $timelimit)
> {
> logOff();
> $t = '?t=1';
> header("location:$redirect$t");
> exit();
> }
>
> $_SESSION['start'] = time();
>
> // properly logged on pass here
>
> ?>
>
>
> <?php //============ log off function =============
> // to destroy the current session
>
> function logOff()
> {
> $_SESSION = array();
>
> if(isset($_COOKIE[session_name()]))
> {
> setcookie(session_name(), '', time()-86400, '/');
> }
> session_destroy();
> }
>
> --
> -------
> http://sperling.com/
>
> --
> PHP General Mailing List (http://www.php.net/)
> To unsubscribe, visit: http://www.php.net/unsub.php
>
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
