0
Well I already know I’ve done several posts here about session, but this error is different.
I have a login system where the session has to last 2 hours, IE it can only expire if the user does not interact with the system.
My settings are like this:
PHP
// Define o limitador de cache
session_cache_limiter('must-revalidate');
// Inicia a sessão
session_start();
setcookie(session_name(),session_id(),time()+7200);
No php.ini
[session]
session.save_handler = files ; sqlite (5.3) / user / memcache(d)
session.serialize_handler = php ; php_serialize / wddx / php_binary / igbinary
session.use_cookies = 1
session.use_only_cookies = 1
session.name = TESTE
session.auto_start = 0
session.cookie_lifetime = 0
session.cookie_path = /
session.cookie_domain =
session.cookie_httponly =
session.serialize_handler = php
session.gc_probability = 1
session.gc_divisor = 1000
session.gc_maxlifetime = 1440
session.bug_compat_42 = Off
session.bug_compat_warn = Off
session.referer_check =
session.entropy_length = 0
session.cache_limiter = nocache
session.cache_expire = 7200
session.use_trans_sid = 0
session.use_strict_mode = Off
session.hash_function = 0
session.hash_bits_per_character = 5
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry"
session.upload_progress.cleanup = On
session.upload_progress.enabled = On
session.upload_progress.freq = "1%"
session.upload_progress.min_freq = 1
session.upload_progress.name = PHP_SESSION_UPLOAD_PROGRESS
session.upload_progress.prefix = "upload_progress_"
Good when I log in and go to the browser console appears the 'TEST' section, and it shows that it will expire in 2 hours. Whenever I refresh the page the expiration date and updated.
The problem is that if I leave the system idle for about 30 minutes and refresh the page it says that the section has expired.
How did I solve this?
I’d bet on cookie... less headache
– Miguel
section and more secure because the data is in the server.
– Hugo Borges
What data? You are not saving passwords etc... in session because you are not?
– Miguel
yes store passwords in session
– Hugo Borges
You shouldn’t... just store
$_SESSION['loggedin'] = True;you already know that the user is login, with verificationif($_SESSION['loggedin']) { ... está logado... } else { ...não está... }– Miguel
not quite so I do, I have a function I mount that picks up the user and the password on md5 that is in the section and query in the BD.
– Hugo Borges
Hugo, you shouldn’t do that, let alone guard the user id that’s logged in, like,:
$_SESSION['loggedin']['id'] = 3; $_SESSION['loggedin']['username'] = 'HuBor';, Having this you can already access everything related to the user, with the id stored in session you will look for what interests you to BD whenever you want without sensitive information moving from one side to the other (client side <-> server side). And there are better hash methods than md5, this is already obsolete for hash passwords– Miguel
ok, so how do I make the login system safe? could help me?
– Hugo Borges
There’s a lot on the Internet about this... If you have time recommend, https://www.youtube.com/watch?v=c_hNNAdyfQk&list=PLfdtiltiRHWF5Rhuk7k4UAU1_yLAZzhWc&index=1 old, but very good and hugging. In this case it only stores the user id in session
– Miguel
@Hugoborges You need to fix it here, it’s only 24 minutes:
session.gc_maxlifetime = 1440– Bacco
@Bacco I’ll set equal to 'cache_expire = 7200'
– Hugo Borges
@Hugoborges always put a little bigger than real time
– Bacco
blz, but I always have to let it equal the 'cache_expire'?
– Hugo Borges
I complemented my previous answer to your question. For two hours, I would leave for example 7800 (7200 + 10 minutes off)
– Bacco