I am working with Laravel. My question is in Laravel any way to manage specific session with specific expire time.
I extends session expire time from session.php but here it's apply on all session.
For example I want to manage Login session for 1 week or specific time and other session should be expire after 1 hour or normal time like close browser.
You could try saving date of session's assignment to user.
Let's have an example of a user name.
Having mysql table session of id,user_id,session_name and created_at you could simply do something like:
$s = new Session;
$s->user_id = $user_id;
$s->session_name = 'name';
Then later on in you app you could simply check if time between NOW and $s->created_at is greater than value you are interested in (like 7 days or so). If so - delete the record and delete session by doing:
session()->forget($s->session_name);
EDIT
You can also add a column of duration so you can dynamically forget sessions after time passed out.
Related
My problem is cookie has been set with expiry time and in value there is no start or expire time etc but I want to get its start time mean when this cookie created?
Basically when user enters into my site and browse through some pages and reach on a specific page where cookie created, now it continuous browsing and reach on some other page where I just want to check is this cookie created within 5 hours or within 1 day etc.
I want this because user may leave site during process completion and come again after some time then I will check if user came in specific time so I want to reopen same page where he left.
Sorry if my english is not good.
There is no option available to get Cookie Creation date/time. Whenever user visits your site, You can simply add a variable + value([creation_datetime=>2016-06-10 10:10 AM]) in the cookie, and retrieve it whenever you want it.
Here is example
Example 1
Example 2
You can add current time in cookie value and check anytime when it was created (until it expires)
My compeny current PHP website has users that are logging in using session. Keeping a field in the session $_SESSION['user_id'] and when logging out unset this field. The user data like Name, Address, Balance is saved in MySQL user table. Now I want to create a query that returns all the logged in user and Balance is over 500$.
How would you approach such task?
Consider that I have a lot of users so looping through all the sessions in session folder and than querying the DB and than matching the results in not really a possibility.
Second option is saving user login state in the user table. setting it to 1 when user log in and to 0 when log out. This is the simplest option to do with current code base and the company bureaucracy.
But I can think problem with synchronization especially if the session expire
Third option is to transfer all the responsibility of the session to the DB with something like session_set_save_handler.
What do you think is the best practice?
(I'd like to add to what #Ofir_Baruch said, for avoiding multiple calls to the DB in order to update last user's loggin all the time)
Add a time-stamp "last login",in:
user's table in DB (lets call it: DB's time-stamp)
in user's session (lets call it: session's time-stamp)
(lets say a session lasts 15 minutes for example)
Add this concept when you check if user's session is valid:
(pseudo code)
when user request a page:
if session[user] is not valid:
create new session
session[user] = username
session[last-login] = time-stamp
update user's last login column in DB to current time-stamp
else
if ( current_time_stamp - session[last-login] > 15 )
session[last-login] = time-stamp
update user's last login column in DB to current time-stamp
else
do_nothing
this way, you don't have to update the DB's time-stamp each time your user does something (like requesting a page or refreshing), but only if 15 minutes have passed.
getting the all logged user's will be a simple query now, as #Ofir_Baruch described in comment.
I'm using a simple, custom session wrapper class to store user sessions in the database, but I'm confused with how to accomplish long-term saved sessions while having short term sessions as well.
I give the user the option to "Keep me logged in". If this is set then I want to keep their session saved for 6 months. If it's not set then I want to keep their session saved for 2 hours. I don't want this 6 month period to keep extending... even if they log in every day, after 6 months their persistent login will be cleared.
If I set session.cookie_lifetime and the garage collection variable session.gc_maxlifetime to something like 6 months or more, then the people with only the "2 hour session" will be leaving tons of unused sessions that won't get cleaned up by the garbage collection until 6 months or more. I'd rather keep session.gc_maxlifetime set to a more reasonable value.
I'm thinking what I should do is create a cookie (not the PHPSESSID cookie because I don't want garbage collection to clear it) that contains the last used session id, and set the expiration of that cookie to either 6 months or 2 hours, depending on if they checked "Keep me logged in" or not. If someone starts a new session and they have this cookie saved, it will try to match the cookie's session id to a saved session in the database. If the same session is found, it will change the session id to their new session id and update the database record, continuing their session. If it's not found it will create a new database entry.
Does this sound like a good way to accomplish what I want? Are there any security issues with this?
in login window and Auth managment i cant set lifetime correctly. how to set that before creating a session such as:
Config::set('session.lifetime', '60');
second parameter is random and user can change that in login window
You definitely should not change server's session lifetime in Laravel instance for each individual user. Instead, store session expiration time for individual user somewhere in database, next to the user data with the timestamp of last user activity. Whenever difference between last user activity and new request will be more then expiration time (that you saved in database), do Session::flush()
i wonder, how i can remove all certain cookies after (e.g. : 10 minutes) inactivity .
im working on securing a php project and one of the steps are this
i should remove administration cookies and session saved in mysql after certain amount inactivity time in php/mysql project
is there any suggestion !?
Well, you should never be storing anything important in cookies, so you should really only have a Session ID stored as a cookie.
Simply set that cookie to expire in 10 minutes. Store that same timestamp in your database.
After, say, 5 minutes, do what you need to do, then set the cookie to expire in another 10 minutes and update the session
After, say, 11 more minutes, the cookie won't be provided, and you can forward the user to your "not authenticated page".
In a cron job or on every page load, delete any sessions that have an expiry time in the past.
save a random string both in cookie and in db, in db also save the expire time..
when a client perform a request get the string from cookie and check the concerning expire time in db...
if time is passed destroy the cookie, otherwise not...
<?php
//retrive cookies if exist the hash stored in it.
//cookie don't exist save the cookie
if(!$_COOKIE){
//create a random string in $rnd_string and the expire date in $data
setcookie("hash", $rnd_string);
//sql connection here
//adding rows to db..
mysql_query("INSERT INTO table (expiredate, hash) VALUES ('".$data."','".$rnd_string."')");
}
else{
//here the code if cookie exist
$hash=$_COOKIE['hash'];
//sql connection here
//retrieving row from db
$result=mysql_fetch_array(mysql_query("SELECT expiredate FROM table WHERE hash='".$hash."'"));
//in $result['expiredate'] you'll have the expire date, check this with server time and decide if is session is valid or not...
}
Couldn't you just set the cookies on every page to expire in 10 * 60?