0

I'm building a web application that allows users to login to a database backend and update some records. I'm not a professional PHP developer by any means.

I've just noticed that, after opening the Chrome browser that is went to the last page it was on a few days ago (with a restart in between) which was one of the pages of the website that you can only access after logging in. I thought this was strange as the session should have expired by now.

At the top of each page I have:

session_start();

if the user logs in to the backend successfully I set a session variable like this:

$_SESSION['userAuthenticated'] = TRUE;

if the user clicks the logout button it does this:

$_SESSION = array();
 session_unset();
 session_destroy();

In my php.ini file I have the follow set:

session.cookie_lifetime 0 (0 for both local value and master value)
session.gc_maxlifetime  900 (900 for both local value and master value)

It was my understanding that the session would remain alive for 15 minutes and be destroyed if the user quits the browser completely. I've just been testing this and I can quit the browser completely, open it again and access one of the pages that should require login.

Am I doing something wrong here - I can't always expect the users to click the Logout button but I would expect the session to not working either after 15 minutes or if they quit their browser completely.

UPDATE: here's how I'm checking if a user is already authenticated:

if (!isset($_SESSION['userAuthenticated']) and $_SESSION['userAuthenticated'] !== TRUE) {
 header('Location: index.php');
 die;
}
user982124
  • 3,802
  • 11
  • 50
  • 116
  • `$_SESSION = array();` is not required. Also, please show how you check `$_SESSION['userAuthenticated']` to verify is the user logged in or not. – Raptor Mar 05 '14 at 03:32
  • You are probably loading the page from the cache. Does it still show as being logged in if you refresh? – Mike Mar 05 '14 at 03:36
  • @Raptor - I'm using this to verify if the user is authenticated: if (!isset($_SESSION['userAuthenticated']) and $_SESSION['userAuthenticated'] !== TRUE) { header('Location: index.php'); die; } – user982124 Mar 05 '14 at 05:33
  • @Mike yes, if I refresh or navigate to another page it works - each page has to hit the backend database to retrieve data so it won't work if they are not authenticated – user982124 Mar 05 '14 at 05:35
  • @user982124 instead of using `and` use `or`. For example, with the code you have now if you have `$_SESSION['userAuthenticated']` set to `false`, the user will be logged in. – Mike Mar 05 '14 at 06:15

2 Answers2

0

Honestly you should be using a more direct timing scheme on the server side, and not count on session time outs. As programmers we must take control when ever possible.

Example: If you use a database to keep user's login and password (which should be hashed with salt if you are), then have a table setup for history (which should be active anyway). It keeps track of when each person logs in and what ip (for future security). In this history will be a timestamp of first login and last activity and when a user refreshes a page or does anything, it will refresh the last activity timestamp. And any action should start with checking those two of last login for that username and if to large of a gap (you stated 15 minutes) is an automatic session_unset and destroy before anything else is done.

Tateyaku
  • 164
  • 9
0

The sessions on PHP works with a Cookie type session, on the server-side, the session information is constantly deleted. To set the session lifetime, you can use the session_set_cookie_params function before session_start:

session_set_cookie_params(3600,"/"); // 3600 seconds (1 hour) OR 900 for 15 mins
session_start();

Browsers only destroy session cookies when the entire browser process is exited. There is no reliable method to determine if/when a user has closed a tab. There is an onbeforeunload handler you can attach to, and hopefully manage to make an ajax call to the server to say the tab's closing, but it's not reliable.

Joshua Kissoon
  • 3,155
  • 5
  • 26
  • 57