I have a PHP/MySQL application which processes a lot of data. When I use session regeneration, my application logs the user out over and over again within a matter of seconds.
To resolve this, I disabled the session regeneration. I have set gc maxlifetime = 86400.
Could it be possible that a memory leak or long execution time of some heavy PHP script/loop which is not coded properly be at the source of this problem?
function checklogin()
{
if ( isset($_SESSION['LAST_ACTIVITY']) && ( time() - $_SESSION['LAST_ACTIVITY'] > 86400 ) )
{
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
}
function login()
{
session_start();
// session_regenerate_id(); //ON USING IT LOGSOUT, SO I STOPPED USING THIS
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
}
I need to use the session regeneration but it shouldn't log out.
session_start() must be the first instruction execute ever if you want work with cookies.
What I want is to be able to delete session data without page refresh.
So let's say my user created a session and left his computer on sleep mode for two years, I want to delete his session after 4800s...
How can I do that?
At the moment, I have a code which only deletŠµs session on refresh only.
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 4800)) {
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
Or does this code work without page refresh?
If not, how can constantly update this code?
Just add this code anywhere in your page
<script type="text/javascript">
setTimeout(function(){
location = ''
},60000)
</script>
reference: Refresh Page for interval using js
100% Working Just Add This Code Once
setTimeout(function () {
window.location.href = "";
}, 3000);
Though this question has multiple duplicates i could not find proper solution for me.
Need Some help.
I have used ini_set('session.cookie_lifetime', 0); in my configuration file.
But it is not helping me to destroy session on browser close.
Application current flow:
1) In authentication page if user is valid, generate new session identifier using session_regenerate_id(true);
2) Control goes to welcome.php where i start new session using session_start();
3) in logout page code is
$_SESSION = array();
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
This might help you,
session_set_cookie_params(0);
session_start();
Your session cookie will be destroyed... so your session will be good until the browser is open. please view http://www.php.net//manual/en/function.session-set-cookie-params.php this may help you.
Use a keep alive.
On login:
session_start();
$_SESSION['last_action'] = time();
An ajax call every few (eg 20) seconds:
windows.setInterval(keepAliveCall, 20000);
Server side keepalive.php:
session_start();
$_SESSION['last_action'] = time();
On every other action:
session_start();
if ($_SESSION['last_action'] < time() - 30 /* be a little tolerant here */) {
// destroy the session and quit
}
The best way is to close the session is: if there is no response for that session after particular interval of time. then close. Please see this post and I hope it will resolve the issue. "How to change the session timeout in PHP?"
There are different ways to do this, but the server can't detect when de browser gets closed so destroying it then is hard.
timeout session.
Either create a new session with the current time or add a time variable to the current session. and then check it when you start up or perform an action to see if the session has to be removed.
session_start();
$_SESSION["timeout"] = time();
//if 100 seconds have passed since creating session delete it.
if(time() - $_SESSION["timeout"] > 100){
unset($_SESSION["timeout"];
}
ajax
Make javascript perform an ajax call that will delete the session, with onbeforeunload() a javascript function that calls a final action when the user leaves the page. For some reason this doesnt always work though.
delete it on startup.
If you always want the user to see the login page on startup after the page has been closed you can just delete the session on startup.
<? php
session_start();
unset($_SESSION["session"]);
and there probably are some more.
There's one more "hack" by using HTTP Referer (we asume that browser window was closed current referer's domain name and curent page's domain name do not match):
session_start();
$_SESSION['somevariable'] = 'somevalue';
if(parse_url($_SERVER["HTTP_REFERER"], PHP_URL_HOST) != $_SERVER["SERVER_NAME"]){
session_destroy();
}
This also has some drawbacks, but it helped me few times.
You can do it using JavaScript by triggering an ajax request to server to destroy the session on onbeforeunload event fired when we closes the browse tab or window or browser.
Use the following code to destroy the session:
<?php
session_start();
unset($_SESSION['sessionvariable']);
header("Location:index.php");
?>
If you want to change the session id on each log in, make sure to use session_regenerate_id(true) during the log in process.
<?php
session_start();
session_regenerate_id(true);
?>
If you close your browser your session is lost.
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser.
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.
ini_set('session.cookie_lifetime', 176400); // for 48 hours
ini_set('session.gc_maxlifetime', 176400); // for 48 hours
session_start();
If you are confused what to do, just refer to the manual of session_destroy() function:
http://php.net/manual/en/function.session-destroy.php
There you can find some more features of session_destroy().
I have searched for a way to check if a session is started and how long has it been since it was started, and if passes half hour per say regenerate the id, if it passes more than an hour destroy it.
I found this code here on stack:
//Start the session
session_start();
// Check if the session is started, if not regenerate it each time passes 30 minutes
if (!isset($_SESSION['init'])) {
$_SESSION['init'] = time();
} elseif (time() - $_SESSION['init'] > 1800) {
session_regenerate_id(true);
$_SESSION['init'] = time();
}
//Check if the session was alive for more than one hour, if so kill it
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > 3600)) {
session_destroy();
session_unset();
}
$_SESSION['last_activity'] = time();
But it seems to run is some problems, I tried destroying it after 18 seconds so I can check if it's working. When I request the page that is protected and it's been more than 18 seconds, the first time I'm still being on it but the second time I'm redirected as I am supposed to be the first time after 18 seconds, why is that ?
Did I do something wrong ?
When you run the page the first time, you check if a session is set and then at the end set the session variable. You should put the $_SESSION['last_activity'] = time(); at the beginning. Also, the page will not keep checking if a session variable is expired, so it will only check if you set the variable on one page and check/set it on all of the pages you want protected.
I'm having trouble forcing sessions to restart in PHP. Here's the problem:
I can get my session id with session_id(), copy it, and add to the very top of my script:
session_id('the_session_id');
session_start();
And when I open a new browser, the session from the other browser is not carried over. What settings can I check?
Reason:
If you close the browser window and open it again, then at this moment a second session is started with a different ID, if the used web application has some session based authentication system the user has to login again. At the same time the user has to logout twice!
Solution:
This function will use a real cookie for the session ID and updates the expiration time with every script execution. The expiration is equal to the PHP directive "gc_maxlifetime" (default) or every custom value. So, put this function in your PHP file. We will need it.
<?php
// $expire = the time in seconds until a session have to expire
function start_session($expire = 0)
{
if ($expire == 0)
$expire = ini_get("session.gc_maxlifetime");
else
ini_set("session.gc_maxlifetime", $expire);
if (empty($_COOKIE['PHPSESSID']))
{
session_set_cookie_params($expire);
session_start();
}
else
{
session_start();
setcookie("PHPSESSID", session_id(), time() + $expire);
}
}
?>
Now, in the top of your page where you're issuing session_id('the_session_id'); and session_start();, remove those lines and start session with this code below:
To start a session with an expire time given by the php configuration
start_session();
To start a session that will expire in 1 hour:
start_session(3600);