1

I am creating a login script and when a user logins, he will be able to stay 3 hours before he is logged out by the system.

The following is in my login.php

            ....
            $_SESSION['dgUserLoggedIn'] = true;
            $_SESSION['timeout'] = time();
            ....

the login-check.php which is at the top of every page which needs authentication:

function isLoginSessionExpired() {
    $login_session_duration = 10800; 
    $current_time = time(); 
    if(isset($_SESSION['timeout']) and isset($_SESSION['dgUserLoggedIn'])){  
        if(((time() - $_SESSION['timeout']) > $login_session_duration)){ 
            session_regenerate_id(true);    // change session ID for the current session and invalidate old session ID
            $_SESSION['timeout'] = time();  // update creation time
            return true; 
        } 
    }
    return false;
}
if(isset($_SESSION["dgUserLoggedIn"])) {
    if(isLoginSessionExpired()) {
        header("Location: /core/logout.php");
    }
}

With the above code the user logs out automatically after around 30 minutes, how can I make sure the user can stay logged in 3 hours and every page refresh or visiting the time updates itself.

Below is my session-setup.php

// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);

// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');

// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');

// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);

// server should keep session data for AT LEAST 1 hour
ini_set('session.gc_maxlifetime', 3600);

// each client should remember their session id for EXACTLY 1 hour
session_set_cookie_params(3600);

// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);

session_start();
Improve this question
1
  • try changing if(((time() - $_SESSION['timeout']) > $login_session_duration)){ with less than operator .\ Commented Jun 25, 2016 at 10:43

4 Answers 4

Reset to default
1

You could also try changing the value at runtime using ini_set:

ini_set('session.gc_maxlifetime', '10800');

or

You can change this line in your php.ini file.

session.gc_maxlifetime = 1440

Update: it seems to be possible, so i stand corrected

php_value 

session.gc_maxlifetime = 10800

i hope it will be helpful

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Have you checked the value of session.gc_maxlifetime in your php.ini file? I guess this is the one which causes the problem

Improve this answer

2 Comments

I have put my session-setup.php @Atif
Can you check the values of session.gc_divisor and session.gc_probability. Take a look at stackoverflow.com/questions/3428153/…
0

The sessions default timeout is 24 minutes (1440 seconds). Please check PHP sessions default timeout

Improve this answer

Comments

0

first check default session timeout setting on your server and add the following line in your code. i hope it will work for you

session_set_cookie_params(10800);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.