views:

170

answers:

5

We have an internal control panel that all employees in the office are logged into all day, including customer service. I'd like for it to be setup so that it keeps you logged in for 1 hour before your session expires. How can I change this in the PHP.ini? I made a change before I understood would keep the session open until the browser window was closed but it didn't stick.

A: 

I don't think this can be done from the php.ini file. I think you either want to store the login time on the server and compare that with the current time and delete if 60mins have passed, or alternatively, use cookies -- these can have an explicit lifespan. See this for more information on cookies.

Andy
+1  A: 

The most secure place to implement this would be in your application. You can store the session update time in $_SESSION on each page load. Before you update it, you check if it has exceeded the 60 minute limit, in which case you can use session_destroy() to terminate the session, followed by a redirect to the login page (or similar).

igorw
+8  A: 

There are two different values you can set:

session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.

and session.cookie_lifetime which is how long the cookie will last.

http://www.php.net/manual/en/session.configuration.php

both values can be set in the php.ini file, but might get overriden in .htaccess files or in your scripts using ini_set.

Bastian
A: 

You could try to force a new value into the maxlifetime of your session:

ini_set('session.gc_maxlifetime', 3600);

Or you could make your own custom session handler, there is a bunch of examples on this link: http://www.php.net/manual/en/function.session-set-save-handler.php

Prix
+3  A: 

You can also do this client-side using JavaScript. Use an AJAX call to periodically 'check-in' with the server, keeping the PHP session alive. You can also monitor if the user is doing anything on the current page, show them a '2 minute warning' message, or even redirect them to a 'session terminated' page when the 1 hour inactivity period is reached. You could even use this to 'force' a user to be signed out.

This isn't as secure as doing it purely in PHP, but does give you more flexibility to build cool features.

Colin O'Dell