hey guys
i wonder, how i can remove all certain cookies after (e.g. : 10 minutes) inactivity .
im working on securing a php project and one of the steps are this
i should remove administration cookies and session saved in mysql after certain amount inactivity time in php/mysql project
is there any suggestion !?
save a random string both in cookie and in db, in db also save the expire time.. when a client perform a request get the string from cookie and check the concerning expire time in db... if time is passed destroy the cookie, otherwise not...
<?php
//retrive cookies if exist the hash stored in it.
//cookie don't exist save the cookie
if(!$_COOKIE){
//create a random string in $rnd_string and the expire date in $data
setcookie("hash", $rnd_string);
//sql connection here
//adding rows to db..
mysql_query("INSERT INTO table (expiredate, hash) VALUES ('".$data."','".$rnd_string."')");
}
else{
//here the code if cookie exist
$hash=$_COOKIE['hash'];
//sql connection here
//retrieving row from db
$result=mysql_fetch_array(mysql_query("SELECT expiredate FROM table WHERE hash='".$hash."'"));
//in $result['expiredate'] you'll have the expire date, check this with server time and decide if is session is valid or not...
}
Well, you should never be storing anything important in cookies, so you should really only have a Session ID stored as a cookie.
Simply set that cookie to expire in 10 minutes. Store that same timestamp in your database.
After, say, 5 minutes, do what you need to do, then set the cookie to expire in another 10 minutes and update the session
After, say, 11 more minutes, the cookie won't be provided, and you can forward the user to your "not authenticated page".
In a cron job or on every page load, delete any sessions that have an expiry time in the past.