My website uses sessions to manage a user being logged in and having access to most functionality on the website.
How can I make it so a user is logged out after a period of time for security reasons?
This website just uses HTML and PHP.
You can use cookies for this, I think.
Most servers are set up with a 2 hour default for that.
The smaller of the session.gc_maxlifetime parameter and session.cookie_lifetime parameter values determines this.
Should I be asking for help in the server forum?
Is that something to do with the server, or is that PHP?
One thing that would help is if someone could help me understand if this is an issue I need to resolve on the webserver or in my application code whether it be in my PHP or HTML.
Look in your php.ini file
Else try using ini_set()
A good idea to see what they are now to be sure that’s the problem
What is a good general strategy for managing sessions?
Do I want to time things out or not?
If I changed the settings that I think Felgall and Mittineague are referring to in the php.ini file, would that boot active users offline as well?
I think I am most concerned about someone who logs in and leaves there computer. If a user is logged in and surfing my website for hours - which is everyone’s goal - then I don’t think they should be kicked off and forced to log back in. But I am no expert on security.
Advice?
As long as they are actively viewing the site the SESSION shouldn’t expire.
Only if they forget to log off when hey leave
So what is a reasonable time period where I kill a session to keep my users safe?
10 minutes? 20 minutes? 30 minutes? 1 hour?
It depends.
If you have pages with a lot of content that might take a while to read or watch a video then you should allow for that and the time should be longer.
If you have short pages then you could get away with a shorter time.
But I think if the usual default is 2 hours then that’s probably a safe bet.
(Incidentally, when did 2 hours become the default? I have strong recollection of the default timeout of a session to be 15 minutes of inactivity)
Good question. I was going by what @felgall posted.
But going by the PHP docs
It’s 24 minutes and until closed
I assumed that was the case since that was the setting on a couple of different hosting providers I have used where I hadn’t changed the setting. Presumably different hosts have different defaults and I just happened to have two that both set the default to 2 hours.
@felgall
What do you think is a reasonable and secure timeout period for sessions?
I am leaning towards 15 minutes.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.