i found that your supposed to use this:
session.gc_maxlifetime
but i dont know how. does anyone know how i can destroy a log in session so the user wont be logged in 30 minutes later.
?

Hey.

Yea, you set the session.gc_maxlifetime variable in the php.ini file to limit the time a session can stay idle.

If you don't know where the php.ini file is, create a file with just: <?php phpinfo(); ?> and look for the "Loaded Configuration File" value. That will contain the path to the configuration file you need to edit.

Once you find it, just open it up, search for the variable, set it to 1800 (30 minutes), save, restart your HTTP server and you are good to go.

dont know where the ini file is so i did the php info thing came up a huge table and i did find in my browser there is no loaded configuration file anywhere on the page. im lost

It should be very close to the top.
See the attached image. It shows where it is on my PC.

mines way different its a free host so i dont know if that changes anything

disable_functions	exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block,socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,stream_socket_client,stream_socket_server,pfsockopen,stream_set_timeout,disk_total_space,disk_free_space,chown,diskfreespace,getrusage,get_current_user,set_time_limit,getmyuid,getmypid,dl,leak,listen,chgrp,link,symlink,dlopen,proc_nice,proc_get_stats,proc_terminate,shell_exec,sh2_exec,posix_getpwuid,posix_getgrgid,posix_kill,ini_restore,mkfifo,dbmopen,dbase_open,filepro,filepro_rowcount,posix_mkfifo,putenv,geoip_open,sleep	exec,system,passthru,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,popen,pcntl_exec,socket_accept,socket_bind,socket_clear_error,socket_close,socket_connect,socket_create_listen,socket_create_pair,socket_create,socket_get_option,socket_getpeername,socket_getsockname,socket_last_error,socket_listen,socket_read,socket_recv,socket_recvfrom,socket_select,socket_send,socket_sendto,socket_set_block,socket_set_nonblock,socket_set_option,socket_shutdown,socket_strerror,socket_write,stream_socket_client,stream_socket_server,pfsockopen,stream_set_timeout,disk_total_space,disk_free_space,chown,diskfreespace,getrusage,get_current_user,set_time_limit,getmyuid,getmypid,dl,leak,listen,chgrp,link,symlink,dlopen,proc_nice,proc_get_stats,proc_terminate,shell_exec,sh2_exec,posix_getpwuid,posix_getgrgid,posix_kill,ini_restore,mkfifo,dbmopen,dbase_open,filepro,filepro_rowcount,posix_mkfifo,putenv,geoip_open,sleep

thats like basically the only thing with ini in it. and loaded or loading the one u put my browser cant find the word at all

Ahh ok, so you don't control the server yourself. That complicates these sort of things.

An easy way around this is to just manually destroy the session in your scripts by keeping track of when the user is active and destroy the session when he is idle for to long.

<?php
session_start();
if(isset($_SESSION['last_seen']) && (time() - $_SESSION['last_seen']) > 1800) {
    session_destroy();
}
else {
    $_SESSION['last_seen'] = time();
}
?>

If you were to add this, or include it, at the top of every page, it would destroy the session if the user was idle for more than 30 minutes.

thanks that makes sense! i have a question. is there a way to change it so all sessions are destroyed on everyones computer so they arent logged in when they havent been loading a page within 30 minutes even if they didnt get to load them page to destroy their session with the above code?

is that like a cron job thing or something?

Sure, but any method that would allow for that would require control over key areas of the server, which you are unlikely to have on a free, shared server.

If you did have the access, you could write a script that cleans out the temporary session files, stored in the directory specified in the session.save_path directive. (Or the OSs default temporary path.)
That could be set to execute periodically using crontab, or something equivalent.

But PHP automatically cleans up session data after the session expires, so there is really no need for that. Not to mention that your script might accidentally clear out sessions that aren't meant to be cleared out, whereas PHP won't.

The method I posted before, where I call session_destroy() would only be needed in the time-frame between the 30 minutes specified int he PHP script, and the time specified in the session.gc_maxlifetime directive. After that, PHP will automatically destroy the session.

Sure, but any method that would allow for that would require control over key areas of the server, which you are unlikely to have on a free, shared server.

If you did have the access, you could write a script that cleans out the temporary session files, stored in the directory specified in the session.save_path directive. (Or the OSs default temporary path.)
That could be set to execute periodically using crontab, or something equivalent.

But PHP automatically cleans up session data after the session expires, so there is really no need for that. Not to mention that your script might accidentally clear out sessions that aren't meant to be cleared out, whereas PHP won't.

The method I posted before, where I call session_destroy() would only be needed in the time-frame between the 30 minutes specified int he PHP script, and the time specified in the session.gc_maxlifetime directive. After that, PHP will automatically destroy the session.

ok what r the reasons to make sessions expire like after 30 minutes? is there a way for people to hack them or something? id ont understand why people do it

Yes, it is a security measure, limiting the window for a session hijacking.

There are ways for malicious persons to obtain your session cookie, which gives them the ability to hijack an open session. The less time the session is left idle, the less time the hijackers have to hijack it.
Not exactly bullet proof, but in cases like these our options are kind of limited.

Aside from that, this is also just a matter of clearing up the unused session data laying around on the server. Session are only meant to be temporary storage, lasting a single "session". If you leave for an extended period, once you return and resume what you were doing, that would be considered a new session. How long that period is, that is up to you.

Yes, it is a security measure, limiting the window for a session hijacking.

There are ways for malicious persons to obtain your session cookie, which gives them the ability to hijack an open session. The less time the session is left idle, the less time the hijackers have to hijack it.
Not exactly bullet proof, but in cases like these our options are kind of limited.

Aside from that, this is also just a matter of clearing up the unused session data laying around on the server. Session are only meant to be temporary storage, lasting a single "session". If you leave for an extended period, once you return and resume what you were doing, that would be considered a new session. How long that period is, that is up to you.

i dont think i set a session cookie ... unless every session made has a cookie

PHP uses cookies by default. If you don't know whether or not u use cookies to transfer the session ID, you almost definitely do.

Doesn't really matter in this context tho. The other option; using the query string, is no more secure. Less so, if anything.

Duplicate... The forum software is on the fritz xD

thanks i have no more questions u answered them all!

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.