Unset session after some time

前端未结

关注

 2  1558

逝去的感伤 2021-02-10 04:16

I am building a online ticket booking site . In this I am doing the following things : The user searches the bus with their seat numbers . The database is updated with the seat

2条回答

闹比i (楼主)

2021-02-10 04:59
Instead of doing a search for files (which involves more i/o ) etc, What is a session cookie: Session Cookie
A better way is to store a time stamp of the 'most recent activity' in the $_SESSION variable.
And updating the session data on every request (including the automated periodic ajax calls if any).

Lets say you want to unset the session after 10 minutes,
```
if (isset($_SESSION['most_recent_activity']) && 
    (time() -   $_SESSION['most_recent_activity'] > 600)) {

 //600 seconds = 10 minutes
 session_destroy();   
 session_unset();  

 }
 $_SESSION['most_recent_activity'] = time(); // the start of the session.
```
To avoid attacks like Session fixation: (Session Fixation is an attack that permits an attacker to hijack a valid user session) keep regenerating the session id periodically say for 5 mins (I would suggest to keep the regeneration time as well as session expire time a bit more). A more elaborate list of attacks: attack list.
```
if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
    } 
else if (time() - $_SESSION['CREATED'] > 600) {
    session_regenerate_id(true);    
    $_SESSION['CREATED'] = time();  
    }
```
Also, make sure session.gc-maxlifetime is set to the maximum expire time you want to use. You can do this
```
ini_set('session.gc-maxlifetime', 600)
```
Or Set it directly in your php.ini.

and also

session.cookie_lifetime :

session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser.

But, destroying the session must be taken care at the server-side and not the client-side. Setting the session.cookie_lifetime set to 0 would make the session’s cookie behave the way a session cookie should i.e. that a session cookie is only valid until the browser is closed.

Although this method is a tad tedious, Its more elegant.

Ah, found the link which I had read a long time ago! : How do I expire a PHP session after 30 minutes?
0 讨论(0)

查看其它2个回答
发布评论:

提交评论
- 加载中...