Put a timer on the session

Got something cool to share with AppGini users? Feel free to post it here!
Post Reply
User avatar
shasta59
AppGini Super Hero
AppGini Super Hero
Posts: 231
Joined: 2013-01-08 19:40
Location: Calgary, Alberta, Canada

Put a timer on the session

Post by shasta59 » 2013-01-13 19:42

Hello, in the old forum someone asked about a timer to end a session. Here is what I use. Note it will also affect the main login page and the user will have to refresh/reload the page. I have reasons for this and it works fine.

What I do is add two files in the root folder of the application (the code you put into these files is at the end of this post)
sessionend.php
sessiontrack.php

I did find this code online rather than writing my own but changed it to work nicely with appgini - for me it works great.

These files are loaded using an include in the header file.

In this code is a timer you can set for how long it stays alive. Then, after the timer expires, it clears all variables. One very very important fact. Do not set the timer too short. If a user is just filling in values in a form and the time expires then they have to log in again. This code is an idle timer. It only reset to zero when you actually submit something, go to another form/page etc. In other words you have to do something which makes a call to your database to get more data etc.

What I did is place the following code (in red) in the header.php file: It goes right below the first line in the header.php file. Make sure your changes look like what is below.

<?php $htmlUserBar=htmlUserBar();
include("$currDir/sessiontrack.php");
include("$currDir/sessionend.php");

?>

Here the code to put into the sessionend.php file you create:

<?php
if (isset($_SESSION["expired"])) {
print "Your session has expired. Please refresh the page and log in again"; //put whatever message you want here
$_SESSION["expired"] = '';
}
?>


Here is the code to put into the sessiontrack.php file

<?php
session_start();
if($_SESSION['session_count'] == 0) {
$_SESSION['session_count'] = 1;
$_SESSION['session_start_time']=time();
} else {
$_SESSION['session_count'] = $_SESSION['session_count'] + 1;
}

$session_timeout = 1800; // enter number of seconds here for session to live (in sec) - 60 = 1 minute - 1800/60 = 30 min

$session_duration = time() - $_SESSION['session_start_time'];
if ($session_duration > $session_timeout) {
session_unset();
session_destroy();
session_start();
session_regenerate_id(true);
$_SESSION["expired"] = "yes";
header("Location: http://yourwebpage/index.php"); // Redirect to Login Page - index.php - or whatever you wish
} else {
$_SESSION['session_start_time']=time();
}
?>


I have been using this now for approx 2 months now and in that time not one error has occurred other than users complaining they have to log in again.

It has not yet been tested with version 5. When that is done I will advise or change as needed.

Remember this works for me in my instance. Depending upon the changes you have made to the base code of appgini it may not work for you. However, since this is in the header file it loads nicely and should not give issues.

Enjoy

Alan Sopczak
Calgary, Alberta, Canada - Using Appgini 5.50 -

User avatar
shasta59
AppGini Super Hero
AppGini Super Hero
Posts: 231
Joined: 2013-01-08 19:40
Location: Calgary, Alberta, Canada

Re: Put a timer on the session

Post by shasta59 » 2013-01-15 14:10

Forgot to mention it does not work as a hook or in the hook file. I have tested it both ways. When placed in the _global.php hook file under the login ok function it does not work properly even though I am using session variables. There may be a way to get it to work but since I needed a working solution quickly this method works well and consistently.

It most likely will not work in the function due to being a internal part of the function and only persisting while the function is active/called.

I am currently testing using require_once and when testing is complete will upload/change tip if needed. If I can get it to work inside a function properly (read without a lot of effort) I will advise this forum to save having to change the header file each time the app is regenerated.

The next change I am working on for this is to allow each individual to set their own timer duration in their prefs. This is more work but would fit in with one usage I am making of the appgini generated code. Some individuals need to be on for a long time others for only a few min. This would allow me to set a short time frame as the default and then each user can customize it to the length they need.

Alan
Calgary, Alberta, Canada - Using Appgini 5.50 -

User avatar
shasta59
AppGini Super Hero
AppGini Super Hero
Posts: 231
Joined: 2013-01-08 19:40
Location: Calgary, Alberta, Canada

Re: Put a timer on the session - update

Post by shasta59 » 2013-06-19 22:02

After much testing I have found the following, placed in the incCommon.php file works much better to set a session timer.

I place it after the following code found in incCommon.php. Look around line 54 approx.

if(session_id()){ session_write_close(); }
@ini_set('session.save_handler', 'files');
@ini_set('session.serialize_handler', 'php');
@ini_set('session.use_cookies', '1');
@ini_set('session.use_only_cookies', '1');
@ini_set('session.cache_limiter', 'nocache');
@session_name(your_session_name');
session_start();


Insert the following:

//added by alan for session control time limit
if($_SESSION['session_count'] == 0) {
$_SESSION['session_count'] = 1;
$_SESSION['session_start_time']=time();
} else {
$_SESSION['session_count'] = $_SESSION['session_count'] + 1;
}

$session_timeout = 1800; // enter number of seconds here for session to live (in sec) - 60 = 1 minute

$session_duration = time() - $_SESSION['session_start_time'];
if ($session_duration > $session_timeout) {
session_unset();
session_destroy();
session_start();
session_regenerate_id(true);
$_SESSION["expired"] = "yes";
header("Location: http://your_url_goes_here/index.php?signIn=1");// Redirect to Login Page - index.php
} else {
$_SESSION['session_start_time']=time();
}

//end of add in section for session control


I found this worked much smoother and was actually faster in code execution overall based upon server stats and other testing. While it does mean modifying an existing file it does work better.

Alan
Calgary, Alberta, Canada - Using Appgini 5.50 -

AhmedBR
AppGini Super Hero
AppGini Super Hero
Posts: 327
Joined: 2013-09-19 10:23

Re: Put a timer on the session

Post by AhmedBR » 2013-10-03 19:07

Thank you for this nice tip.

Ahmed
AppGini 22.14 - xampp 3.3.0 - PHP 7.4.30 - Summary reports - Calendar - Mass update - Messages - AppGiniHelper

davea0511
Posts: 14
Joined: 2013-10-11 16:43

Re: Put a timer on the session

Post by davea0511 » 2013-10-11 18:01

Very helpful ... feature would be a very nice addition to the core AppGini distribution.

This capability is required for most data-sensitive applications that might be run on a public computer or device.

User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: Put a timer on the session

Post by onoehring » 2019-08-19 13:22

Hi shasta59,

thanks for sharing.

I wonder if this is built into AG in version 5.76 or if we still need to add this. Does anyone know?

Btw. I placed your code into a new php file in the hooks folder. I include this new php file into hooks/__global.php, so the file is available but I did not change any generated files.

Olaf

User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: Put a timer on the session

Post by onoehring » 2019-08-19 15:19

Hi,

just noticed, that
Btw. I placed your code into a new php file in the hooks folder. I include this new php file into hooks/__global.php, so the file is available but I did not change any generated files.
is a stupid idea, as this file is used only on the login page. Sorry.
The include will have to go into another file, probably the one shasta59 suggested.

Olaf

User avatar
onoehring
AppGini Super Hero
AppGini Super Hero
Posts: 1156
Joined: 2019-05-21 22:42
Location: Germany
Contact:

Re: Put a timer on the session

Post by onoehring » 2019-08-19 17:14

Hi,

ok, I think I found my solution for a nice place where to include the script. I put it in the hooks/footer.extras.php

Code: Select all

	//automatic logout when session expired
	include("$currDir/hooks/sessiontimer.php");
Olaf

Moh Youba
Veteran Member
Posts: 228
Joined: 2017-03-12 09:31

Re: Put a timer on the session

Post by Moh Youba » 2019-10-28 20:21

Hello

Please is this work for AppGini 5.81

Thank you


Moh Youba
Veteran Member
Posts: 228
Joined: 2017-03-12 09:31

Re: Put a timer on the session

Post by Moh Youba » 2019-10-29 06:58

Thank you Olaf

zkarwinkar
Veteran Member
Posts: 32
Joined: 2021-06-12 21:01

Re: Put a timer on the session

Post by zkarwinkar » 2022-02-21 04:46

not working in 22.11

peebee
AppGini Super Hero
AppGini Super Hero
Posts: 352
Joined: 2013-03-21 04:37

Re: Put a timer on the session

Post by peebee » 2022-02-23 06:48

I am currently using the following session control in V22.11 and it appears to be working correctly/well. I'm open to any corrections if required.

The following not only adds a session timer but also kills your original session issued at the login page and issues you a new session cookie AFTER you have successfully logged in. This helps prevent the possibility of session hijacking: https://owasp.org/www-community/attacks ... ing_attack

This is a hooks only solution - add this to your login_ok function in hooks/__global.php

Code: Select all

function login_ok($memberInfo, &$args) {

	//Set new Cookie after successful login
	session_regenerate_id(true);
	// Session control time limit
	if($_SESSION['session_count'] == 0) { 
		$_SESSION['session_count'] = 1;
		$_SESSION['session_start_time']=time();
	} else {
		$_SESSION['session_count'] = $_SESSION['session_count'] + 1;
	}

	$session_timeout = 1800; // number of seconds here for session to live (in sec) - 60 = 1 minute

	$session_duration = time() - $_SESSION['session_start_time'];
	if ($session_duration > $session_timeout) { 
		session_unset();
		session_destroy();
		session_start();
		session_regenerate_id(true);
		$_SESSION["expired"] = "yes";
		header("Location: https://YOURDOMAINHERE.com/index.php?signIn=1");// Redirect to Login Page - index.php
	} else {
		$_SESSION['session_start_time']=time();
	}

} //end of session control

zkarwinkar
Veteran Member
Posts: 32
Joined: 2021-06-12 21:01

Re: Put a timer on the session

Post by zkarwinkar » 2022-02-28 20:12

Thanks , its working 👍

Post Reply