php login session timeout error

Question

I am creating a login script and when a user logins, he will be able to stay 3 hours before he is logged out by the system.

The following is in my login.php

            ....
            $_SESSION['dgUserLoggedIn'] = true;
            $_SESSION['timeout'] = time();
            ....

the login-check.php which is at the top of every page which needs authentication:

function isLoginSessionExpired() {
    $login_session_duration = 10800; 
    $current_time = time(); 
    if(isset($_SESSION['timeout']) and isset($_SESSION['dgUserLoggedIn'])){  
        if(((time() - $_SESSION['timeout']) > $login_session_duration)){ 
            session_regenerate_id(true);    // change session ID for the current session and invalidate old session ID
            $_SESSION['timeout'] = time();  // update creation time
            return true; 
        } 
    }
    return false;
}
if(isset($_SESSION["dgUserLoggedIn"])) {
    if(isLoginSessionExpired()) {
        header("Location: /core/logout.php");
    }
}

With the above code the user logs out automatically after around 30 minutes, how can I make sure the user can stay logged in 3 hours and every page refresh or visiting the time updates itself.

Below is my session-setup.php

// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);

// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');

// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');

// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);

// server should keep session data for AT LEAST 1 hour
ini_set('session.gc_maxlifetime', 3600);

// each client should remember their session id for EXACTLY 1 hour
session_set_cookie_params(3600);

// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);

session_start();

try changing `if(((time() - $_SESSION['timeout']) > $login_session_duration)){ ` with less than operator .\ — Manish, Jun 25 '16 at 10:43

score 1 · Accepted Answer · answered Jun 25 '16 at 11:15

You could also try changing the value at runtime using ini_set:

ini_set('session.gc_maxlifetime', '10800');

or

You can change this line in your php.ini file.

session.gc_maxlifetime = 1440

Update: it seems to be possible, so i stand corrected

php_value

session.gc_maxlifetime = 10800

i hope it will be helpful

score 0 · Answer 2 · answered Jun 25 '16 at 10:39

0

Have you checked the value of session.gc_maxlifetime in your php.ini file? I guess this is the one which causes the problem

answered Jun 25 '16 at 10:39

Atif

75
5

I have put my session-setup.php @Atif – adams Jun 25 '16 at 10:41
1

Can you check the values of session.gc_divisor and session.gc_probability. Take a look at http://stackoverflow.com/questions/3428153/php-ini-setsession-gc-maxlifetime-5-why-it-doesnt-end-the-session – Atif Jun 25 '16 at 10:48

score 0 · Answer 3 · edited May 23 '17 at 11:44

0

The sessions default timeout is 24 minutes (1440 seconds). Please check PHP sessions default timeout

edited May 23 '17 at 11:44

Community

1
1

answered Jun 25 '16 at 10:40

SandroMarques

5,029
39
40

score 0 · Answer 4 · answered Jun 25 '16 at 10:42

0

first check default session timeout setting on your server and add the following line in your code. i hope it will work for you

session_set_cookie_params(10800);

answered Jun 25 '16 at 10:42

aniket ashtekar

280
1
11

php login session timeout error

4 Answers4