Secure Login with Remember

Asked

Viewed 290 times

2

I need help with a login script. The problem is that the session is automatically expiring after a certain downtime. I would like to increase the native limit of session of my pages, because the user needs to stay connected to the system all day, and stay logged in when the session expires becomes a nuisance for users. I have tried session_cache_limiter(600); to increase the limit, however, on the server does not work, the session is destroyed in 2 hours.

My script is basically like this, when logging I create three SESSION as follows log in.php:

$_SESSION['cod_cliente'] = ($row["cod_cliente"]);
$_SESSION['op'] = ($row["usuario_id"]);
$_SESSION['op_tipo'] = md5($row["tipo"]); //perfil

I have a page that checks if the user is logged in check php.:

if(!isset($_SESSION['cod_cliente']) && empty($_SESSION['cod_cliente']) || !isset($_SESSION['op']) || empty($_SESSION['op']) || !isset($_SESSION['op_tipo']) || empty($_SESSION['op_tipo']))
{
    session_unset();     
    session_destroy();
    header('Location:login.php');
}

And on the pages I want to protect I put at the beginning:

session_start();
include("check.php");
php session
  • 6

    I think your system needs something like "keep connected" that appears in various logins, example facebook. So check out this answer http://answall.com/questions/33664/remin-usu%C3%A1rio-com-seguran%C3%A7a/33684#33684

2 answers

2

I’m sorry I was wrong about the previous answer, I couldn’t test, so I made a mistake.

To change the settings of php.ini without editing the file use the function ini_set() (some hosting block such function), use it precisely to change the gc_maxlifetime of the session, and to ensure use also session_set_cookie_params() which has as its first parameter the lifetime.

I made a simple example, where I define the session with a maximum time of 30 seconds, and even so I use session_cache_expire() to clean up my cache after 1 minute to actually close my session (you only need to delete the cache when session time is less than 180 minutes, as every 180 minutes cache is deleted by default). Be the example:

index php.:

<?php
    // define tempo de sessão para 30 seguntos (deve informar valor ente aspas)
    ini_set('session.gc_maxlifetime', '30');
    session_set_cookie_params('30');

    /* define a exclusão do cache após 1 minuto (apenas para a variável
       não ficar no cache por 180 minutos, para fazermos o tete) */
    session_cache_expire(1);

    session_start(); //inicia

    $_SESSION['logado'] = "Logado"; // Uma variável de teste

?>
<a href="verifica.php">Verificar</a>

php checks.:

<?php
    session_start(); // pega sessão
    echo $_SESSION['logado']; // exibe variável de sessão (será exibido erro quando ela for apagada)
?>

To test just access the index.php, after one minute access verifica.php and the session variable will not be set. Sometimes you can give a difference because of the cookies session that keeps holding the variable in memory.

  • Thank you for your attention. I put "session_cache_expire(5);" at the beginning of the page as mentioned but not disconnected, so I assume it will also not extend the login to the limit I want. I studied some topics and saw that most people do it using cookies but I don’t want to go for it since everyone talks about the cookie vulnerability

  • I researched on the subject and found a suitable solution, at least here it worked. As I mentioned, can give problem because of the session cookies.

1

I have faced problems where I put session for unlimited time and still expire after a period of inactivity and in my case was the Garbage Collector.

The configuration gc_maxlifetime of php.ini configures how long a session has to be considered disposable, closing it even if it has not reached the total limit.

  • This is exactly my problem, because when I send to my server’s FTP this happens, that is, I looked in phpinfo and this "Session.gc_maxlifetime : 1440". As I cannot have access to changes in php.ini of the hosting server is not working

  • session.gc_maxlifetime : 1440 It should give you about 50 feet for the session to be expiring. Get in touch with your hosting and see if they can make this change for you, if it is not possible it may be possible to change it through ini_set or maybe even .htaccess.In the last case change the accommodation.

  • Thank you all for your attention, I’ll check with the hosting

Browser other questions tagged php session

You are not signed in. Login or sign up in order to post.