Forum Moderators: coopster
I base all the users login on the php session...
My main problem:
After like 1 hour of innactivity, the session expire and the played logged in is disconnected. I would like to raise the time-out to .. let say 3 hours ...
Is it possible? How?
-------------------------------
a)Many people create their own session, why? is the php session are "unsecure"?
b) Is it possible to "change" the value of a session variable .. I mean, is an hacker can change let say:
$_session["user"] = "wrong user";
to
$_session["user"] = "good user";
(that could be $_session["accesslevel"] or anything else..)
Because the way my login work is a little bit like this:
-User enter login info;
-Login info checked with the DB;
-If user/pass match, then:
$_session["user"] = $_post["user"];
else
$_session["user"] = "";
on the page security, I do this kind of check:
if (!isset($_SESSION["user"]) ¦¦ (isset($_SESSION["user"]) && $_SESSION["user"] == "") {
die("<script>location='login.php';</script>";
}
Is this way is secure?
If no, how can I secure it?
And the security stuff...a good start is the PHP manual pages on Session Handling [php.net] and Security [php.net].
Hum, seem to have no way to increment the timeout of a session (if I don't have access to the .ini)
Yes, you should have control over your sessions. Read the first linked thread again. The link provided states that you can override every session configuration directive except one, and you don't have to do it in the
php.inifile.
Thank's for your help, it's appreciated
I've tried to put this:
(this is in my header.php file, included on the top of every page of the site, user logged or not.)
<?php
include "_colors.inc.php";
@ini_set("session.gc_maxlifetime","3600");
session_start(); //Démarrer le cookies session.
?>
_colors.inc.php only set variable...
Seem ok?
session.save_pathconfiguration directive as well as mentioned in msg #5 of the "Session is timing out - how do I increase cookie time?" link above.
