login area: security vs usability - what do you do? - PHP Server Side Scripting forum at WebmasterWorld

Forum Moderators: coopster

Message Too Old, No Replies

login area: security vs usability - what do you do?

jamie

6:41 pm on Oct 11, 2010 (gmt 0)

hi,

we have a custom cms with password protected admin for editing pages, etc.

i use sessions for authorisation and have moved the default save_path to a separate directory and increased session time to a day (from php's default 15 minutes).

however, people still get logged out at the most inopportune times - sometimes losing a frustrating amount of editing. this situation is as follows: someone spends 30 minutes formatting a page, uploading photos, etc, presses save and is logged out, thereby losing all the posted data.

i wondered what other people use and whether you have any workarounds for this?

many thanks

rocknbil

3:45 pm on Oct 12, 2010 (gmt 0)

Sure there is, extend your session/cookie expiration with each hit of activity. Recently discussedhere [webmasterworld.com] in the context of cookies, but keep in mind sessions are kept alive with the PHPSESSID cookie.

jamie

9:03 pm on Oct 12, 2010 (gmt 0)

i like that idea. tks for pointing in the right direction.

enigma1

9:42 am on Oct 13, 2010 (gmt 0)

PHP default lifetime for sessions is 24 minutes. If you are using the PHP sessions you either need to change the default timing
ini_set('session.gc_maxlifetime', '86400');
or customize the session handlers and handle the garbage collector callback differently, or write your own method to handle a cookie and emulate sessions.

jamie

12:14 pm on Oct 13, 2010 (gmt 0)

enigma1,

i have set 86,400 seconds, but people forget to login and out at the end/beginning of each day (i know, i know ;) and afaik, 86,400 is still only a guideline and random logouts still occur.

cheers

enigma1

12:48 pm on Oct 13, 2010 (gmt 0)

Then is not really the sessions but what the form is doing when is submitted. When the form is submitted, accept input first to a temp storage (validate it and store it excluding customer info but including the new session id your site generates at that moment), then redirect them to login. If they don't login when the new session expires it erases the temp storage too. And you can leave the session default lifetime. The temp storage can even be part of the session.

jamie

3:10 pm on Oct 13, 2010 (gmt 0)

that's exactly what i've done pro tem. although i actually save the posted data to the db before logging out, but i like the idea of saving to session and then saving on login success.

cheers