How set session timeliness?

0
votes

In my project I need set separate ways to set session time-live: 1) if user set 'remember me' -> information write into cookie -> if cookie variables available set session time-live non set (as long as possible). When user reload page information from the cookie writes into session variables. If user close browser then open browser again and load site -> information from the cookie restart session (if cookie information available). 2) if user not set 'remember me' session must expire from 24 ours (1 day). 

session_set_cookie_params(3600);
session_start(); 
include ("blocks/bd.php");

if (isset($_COOKIE['passwordCode'])) {
    $passwordCode = $_COOKIE['passwordCode'];
    $login = $_COOKIE['login'];
    $personalInfo = mysql_query("SELECT * FROM users WHERE password='$passwordCode' AND login='$login'", $db);
    $personalInfoData =  mysql_fetch_array($personalInfo);      

    $_SESSION['password'] = $personalInfoData['password'];
    $_SESSION['login'] = $personalInfoData['login'];
    $_SESSION['userName'] = $personalInfoData['userName'];
    $_SESSION['phone'] = $personalInfoData['phone'];
    $_SESSION['email'] = $personalInfoData['email'];
    $_SESSION['id'] = $personalInfoData['id'];
    $_SESSION['role'] = $personalInfoData['role'];
    $_SESSION['companyRelation'] = $personalInfoData['companyRelation'];
}
if (isset($_SESSION['login']) && isset($_SESSION['password'])) {
    $personalInfo = mysql_query("SELECT * FROM users WHERE password='$_SESSION[password]' AND login='$_SESSION[login]'", $db);
    $personalInfoData =  mysql_fetch_array($personalInfo);


}

With this code session set time live not working correct.

2
phpsession-cookiessession-timeout
You code does nothing at all to handle the case where your DB login query does not return a result. Also, if you have already logged the user in why re-query the database on each page load to get user information? You should be able to just store that in session. Besides that, I am not really sure what you are asking here. - Mike Brant

2 Answers

0
votes

I'm not completely sure what meant with the first option (1), but a 'remember me' session that expires after 24 hours:

You can set the session you want (let's say $_SESSION['username']) and in addition to that set a session specifying the time that it was created. Let me demonstrate:

if (isset($_SESSION['expire'])) {
  unset($_SESSION['expire']);
}
$_SESSION['username'] = $username;
$_SESSION['expire'] = time();

And when you'd like to verify whether the session is valid, you can use this:

if ($_SESSION['expire']+86400 < time()) {
  unset($_SESSION['username']);
  unset($_SESSION['expire']);
}
0
votes

First of all:

Never store the password in a session or in a cookie! This is very very very bad practice and makes your script very vulnerable.

Second of all:

Never store the password in plain text anywhere. Salt it, hash it and then store it.

Each users password is a valuable; treat it as such. It represents not only access to your script, but potentially access to their email and other sites. I know I use the same password in many places and I know many other people do too.

You can read more about this on various places on the net, such as http://phpsec.org/projects/guide/1.html

Now, on the the actual answer...

Capture the last time of action

You didn't specify if the session should last from the time the user logs in or from the time the users last made an action, but I will assume the latter.

When the user logs in, save the users timeout preference in a cookie. Then, on each page, save the current timestamp into a cookie. We can use this cookie to check how much time has passed since the last page reload.

Next, we check the user timeout setting. If it is "remember me", we just let the session live on. If it is "do not remember me", we check when the user last made an action. Compare this to the current time to see if 24 hours have passed. If they have, kill the session.