Hello, in the old forum someone asked about a timer to end a session. Here is what I use. Note it will also affect the main login page and the user will have to refresh/reload the page. I have reasons for this and it works fine.
What I do is add two files in the root folder of the application (the code you put into these files is at the end of this post)
sessionend.php
sessiontrack.php
I did find this code online rather than writing my own but changed it to work nicely with appgini - for me it works great.
These files are loaded using an include in the header file.
In this code is a timer you can set for how long it stays alive. Then, after the timer expires, it clears all variables. One very very important fact. Do not set the timer too short. If a user is just filling in values in a form and the time expires then they have to log in again. This code is an idle timer. It only reset to zero when you actually submit something, go to another form/page etc. In other words you have to do something which makes a call to your database to get more data etc.
What I did is place the following code (in red) in the header.php file: It goes right below the first line in the header.php file. Make sure your changes look like what is below.
<?php $htmlUserBar=htmlUserBar();
include("$currDir/sessiontrack.php");
include("$currDir/sessionend.php");
?>
Here the code to put into the sessionend.php file you create:
<?php
if (isset($_SESSION["expired"])) {
print "Your session has expired. Please refresh the page and log in again"; //put whatever message you want here
$_SESSION["expired"] = '';
}
?>
Here is the code to put into the sessiontrack.php file
<?php
session_start();
if($_SESSION['session_count'] == 0) {
$_SESSION['session_count'] = 1;
$_SESSION['session_start_time']=time();
} else {
$_SESSION['session_count'] = $_SESSION['session_count'] + 1;
}
$session_timeout = 1800; // enter number of seconds here for session to live (in sec) - 60 = 1 minute - 1800/60 = 30 min
$session_duration = time() - $_SESSION['session_start_time'];
if ($session_duration > $session_timeout) {
session_unset();
session_destroy();
session_start();
session_regenerate_id(true);
$_SESSION["expired"] = "yes";
header("Location: http://yourwebpage/index.php"); // Redirect to Login Page - index.php - or whatever you wish
} else {
$_SESSION['session_start_time']=time();
}
?>
I have been using this now for approx 2 months now and in that time not one error has occurred other than users complaining they have to log in again.
It has not yet been tested with version 5. When that is done I will advise or change as needed.
Remember this works for me in my instance. Depending upon the changes you have made to the base code of appgini it may not work for you. However, since this is in the header file it loads nicely and should not give issues.
Enjoy
Alan Sopczak
Put a timer on the session
Put a timer on the session
Calgary, Alberta, Canada - Using Appgini 5.50 -
Re: Put a timer on the session
Forgot to mention it does not work as a hook or in the hook file. I have tested it both ways. When placed in the _global.php hook file under the login ok function it does not work properly even though I am using session variables. There may be a way to get it to work but since I needed a working solution quickly this method works well and consistently.
It most likely will not work in the function due to being a internal part of the function and only persisting while the function is active/called.
I am currently testing using require_once and when testing is complete will upload/change tip if needed. If I can get it to work inside a function properly (read without a lot of effort) I will advise this forum to save having to change the header file each time the app is regenerated.
The next change I am working on for this is to allow each individual to set their own timer duration in their prefs. This is more work but would fit in with one usage I am making of the appgini generated code. Some individuals need to be on for a long time others for only a few min. This would allow me to set a short time frame as the default and then each user can customize it to the length they need.
Alan
It most likely will not work in the function due to being a internal part of the function and only persisting while the function is active/called.
I am currently testing using require_once and when testing is complete will upload/change tip if needed. If I can get it to work inside a function properly (read without a lot of effort) I will advise this forum to save having to change the header file each time the app is regenerated.
The next change I am working on for this is to allow each individual to set their own timer duration in their prefs. This is more work but would fit in with one usage I am making of the appgini generated code. Some individuals need to be on for a long time others for only a few min. This would allow me to set a short time frame as the default and then each user can customize it to the length they need.
Alan
Calgary, Alberta, Canada - Using Appgini 5.50 -
Re: Put a timer on the session - update
After much testing I have found the following, placed in the incCommon.php file works much better to set a session timer.
I place it after the following code found in incCommon.php. Look around line 54 approx.
if(session_id()){ session_write_close(); }
@ini_set('session.save_handler', 'files');
@ini_set('session.serialize_handler', 'php');
@ini_set('session.use_cookies', '1');
@ini_set('session.use_only_cookies', '1');
@ini_set('session.cache_limiter', 'nocache');
@session_name(your_session_name');
session_start();
Insert the following:
//added by alan for session control time limit
if($_SESSION['session_count'] == 0) {
$_SESSION['session_count'] = 1;
$_SESSION['session_start_time']=time();
} else {
$_SESSION['session_count'] = $_SESSION['session_count'] + 1;
}
$session_timeout = 1800; // enter number of seconds here for session to live (in sec) - 60 = 1 minute
$session_duration = time() - $_SESSION['session_start_time'];
if ($session_duration > $session_timeout) {
session_unset();
session_destroy();
session_start();
session_regenerate_id(true);
$_SESSION["expired"] = "yes";
header("Location: http://your_url_goes_here/index.php?signIn=1");// Redirect to Login Page - index.php
} else {
$_SESSION['session_start_time']=time();
}
//end of add in section for session control
I found this worked much smoother and was actually faster in code execution overall based upon server stats and other testing. While it does mean modifying an existing file it does work better.
Alan
I place it after the following code found in incCommon.php. Look around line 54 approx.
if(session_id()){ session_write_close(); }
@ini_set('session.save_handler', 'files');
@ini_set('session.serialize_handler', 'php');
@ini_set('session.use_cookies', '1');
@ini_set('session.use_only_cookies', '1');
@ini_set('session.cache_limiter', 'nocache');
@session_name(your_session_name');
session_start();
Insert the following:
//added by alan for session control time limit
if($_SESSION['session_count'] == 0) {
$_SESSION['session_count'] = 1;
$_SESSION['session_start_time']=time();
} else {
$_SESSION['session_count'] = $_SESSION['session_count'] + 1;
}
$session_timeout = 1800; // enter number of seconds here for session to live (in sec) - 60 = 1 minute
$session_duration = time() - $_SESSION['session_start_time'];
if ($session_duration > $session_timeout) {
session_unset();
session_destroy();
session_start();
session_regenerate_id(true);
$_SESSION["expired"] = "yes";
header("Location: http://your_url_goes_here/index.php?signIn=1");// Redirect to Login Page - index.php
} else {
$_SESSION['session_start_time']=time();
}
//end of add in section for session control
I found this worked much smoother and was actually faster in code execution overall based upon server stats and other testing. While it does mean modifying an existing file it does work better.
Alan
Calgary, Alberta, Canada - Using Appgini 5.50 -
Re: Put a timer on the session
Thank you for this nice tip.
Ahmed
Ahmed
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper
Re: Put a timer on the session
Very helpful ... feature would be a very nice addition to the core AppGini distribution.
This capability is required for most data-sensitive applications that might be run on a public computer or device.
This capability is required for most data-sensitive applications that might be run on a public computer or device.
Re: Put a timer on the session
Hi shasta59,
thanks for sharing.
I wonder if this is built into AG in version 5.76 or if we still need to add this. Does anyone know?
Btw. I placed your code into a new php file in the hooks folder. I include this new php file into hooks/__global.php, so the file is available but I did not change any generated files.
Olaf
thanks for sharing.
I wonder if this is built into AG in version 5.76 or if we still need to add this. Does anyone know?
Btw. I placed your code into a new php file in the hooks folder. I include this new php file into hooks/__global.php, so the file is available but I did not change any generated files.
Olaf
Some postings I was involved, you might find useful:
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
Re: Put a timer on the session
Hi,
just noticed, that
The include will have to go into another file, probably the one shasta59 suggested.
Olaf
just noticed, that
is a stupid idea, as this file is used only on the login page. Sorry.Btw. I placed your code into a new php file in the hooks folder. I include this new php file into hooks/__global.php, so the file is available but I did not change any generated files.
The include will have to go into another file, probably the one shasta59 suggested.
Olaf
Some postings I was involved, you might find useful:
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
Re: Put a timer on the session
Hi,
ok, I think I found my solution for a nice place where to include the script. I put it in the hooks/footer.extras.php
Olaf
ok, I think I found my solution for a nice place where to include the script. I put it in the hooks/footer.extras.php
Code: Select all
//automatic logout when session expired
include("$currDir/hooks/sessiontimer.php");
Some postings I was involved, you might find useful:
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
Re: Put a timer on the session
Hello
Please is this work for AppGini 5.81
Thank you
Please is this work for AppGini 5.81
Thank you
Re: Put a timer on the session
Hi,
I upgraded to 5.81 and have no problems.
Olaf
I upgraded to 5.81 and have no problems.
Olaf
Some postings I was involved, you might find useful:
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
SingleEdit - Prevent concurrent edits on records; Field Permissions; Column-Value-Based-Permissions; Custom (error) message; Audit Log; Backup your database; Two Factor Authentication; Block brute force (failed) logins; Add 2nd SAVE CHANGES button; Place a search on details view
Re: Put a timer on the session
Thank you Olaf
-
- Veteran Member
- Posts: 32
- Joined: 2021-06-12 21:01
Re: Put a timer on the session
not working in 22.11
Re: Put a timer on the session
I am currently using the following session control in V22.11 and it appears to be working correctly/well. I'm open to any corrections if required.
The following not only adds a session timer but also kills your original session issued at the login page and issues you a new session cookie AFTER you have successfully logged in. This helps prevent the possibility of session hijacking: https://owasp.org/www-community/attacks ... ing_attack
This is a hooks only solution - add this to your login_ok function in hooks/__global.php
The following not only adds a session timer but also kills your original session issued at the login page and issues you a new session cookie AFTER you have successfully logged in. This helps prevent the possibility of session hijacking: https://owasp.org/www-community/attacks ... ing_attack
This is a hooks only solution - add this to your login_ok function in hooks/__global.php
Code: Select all
function login_ok($memberInfo, &$args) {
//Set new Cookie after successful login
session_regenerate_id(true);
// Session control time limit
if($_SESSION['session_count'] == 0) {
$_SESSION['session_count'] = 1;
$_SESSION['session_start_time']=time();
} else {
$_SESSION['session_count'] = $_SESSION['session_count'] + 1;
}
$session_timeout = 1800; // number of seconds here for session to live (in sec) - 60 = 1 minute
$session_duration = time() - $_SESSION['session_start_time'];
if ($session_duration > $session_timeout) {
session_unset();
session_destroy();
session_start();
session_regenerate_id(true);
$_SESSION["expired"] = "yes";
header("Location: https://YOURDOMAINHERE.com/index.php?signIn=1");// Redirect to Login Page - index.php
} else {
$_SESSION['session_start_time']=time();
}
} //end of session control
-
- Veteran Member
- Posts: 32
- Joined: 2021-06-12 21:01
Re: Put a timer on the session
Thanks , its working