PHP 会话超时
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3068744/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP Session timeout
提问by user342391
I am creating a session when a user logs in like so:
当用户登录时,我正在创建一个会话,如下所示:
$_SESSION['id'] = $id;
How can I specify a timeout on that session of X minutes and then have it perform a function or a page redirect once it has reached X minutes??
如何在 X 分钟的会话中指定超时,然后在达到 X 分钟后让它执行功能或页面重定向?
EDIT: I forgot to mention that I need the session to timeout due to inactivity.
编辑:我忘了提到由于不活动,我需要会话超时。
回答by Jacco
first, store the last time the user made a request
首先,存储用户上次发出请求的时间
<?php
$_SESSION['timeout'] = time();
?>
in subsequent request, check how long ago they made their previous request (10 minutes in this example)
在随后的请求中,检查他们多久前提出他们的先前请求(在本例中为 10 分钟)
<?php
if ($_SESSION['timeout'] + 10 * 60 < time()) {
// session timed out
} else {
// session ok
}
?>
回答by Vinko Vrsalovic
When the session expires the data is no longer present, so something like
当会话过期时,数据不再存在,所以像
if (!isset($_SESSION['id'])) {
header("Location: destination.php");
exit;
}
will redirect whenever the session is no longer active.
每当会话不再活动时将重定向。
You can set how long the session cookie is alive using session.cookie_lifetime
您可以使用session.cookie_lifetime设置会话 cookie 的存活时间
ini_set("session.cookie_lifetime","3600"); //an hour
EDIT: If you are timing sessions out due to security concern (instead of convenience,) use the accepted answer, as the comments below show, this is controlled by the client and thus not secure. I never thought of this as a security measure.
编辑:如果您出于安全考虑(而不是方便)将会话超时,请使用已接受的答案,如下面的评论所示,这是由客户端控制的,因此不安全。我从不认为这是一种安全措施。
回答by Vinko Vrsalovic
Just check first the session is not already created and if not create one. Here i am setting it for 1 minute only.
只需先检查会话尚未创建,如果未创建,则创建一个。在这里,我仅将其设置为 1 分钟。
<?php
if(!isset($_SESSION["timeout"])){
$_SESSION['timeout'] = time();
};
$st = $_SESSION['timeout'] + 60; //session time is 1 minute
?>
<?php
if(time() < $st){
echo 'Session will last 1 minute';
}
?>
回答by Byterbit
<script type="text/javascript">
window.setTimeout("location=('timeout_session.htm');",900000);
</script>
In the header of every page has been working for me during site tests(the site is not yet in production). The HTML page it falls to ends the session and just informs the user of the need to log in again. This seems an easier way than playing with PHP logic. I'd love some comments on the idea. Any traps I havent seen in it ?
在网站测试期间,每个页面的标题都对我有用(该网站尚未投入生产)。它所落入的 HTML 页面结束会话,只是通知用户需要再次登录。这似乎比玩 PHP 逻辑更简单。我很想对这个想法发表一些评论。有什么我没见过的陷阱吗?
回答by Uday Hiwarale
<?php
session_start();
if (time()<$_SESSION['time']+10){
$_SESSION['time'] = time();
echo "welcome old user";
}
else{
session_destroy();
session_start();
$_SESSION['time'] = time();
echo "welcome new user";
}
?>
回答by Michael Badichi
Byterbit solution is problematic because:
字节解决方案是有问题的,因为:
- having the client control expiration of a server side cookie is a security issue.
- if expiration timeout set on server side is smaller than the timeout set on client side, the page would not reflect the actual state of the cookie.
- even if for the sake of comfort in development stage, this is a problem because it won't reflect the right behaviour (in timing) on release stage.
- 让客户端控制服务器端 cookie 过期是一个安全问题。
- 如果服务器端设置的过期时间小于客户端设置的超时时间,页面将不会反映 cookie 的实际状态。
- 即使为了开发阶段的舒适性,这也是一个问题,因为它不会在发布阶段反映正确的行为(在时间上)。
for cookies, setting expiration via session.cookie_lifetime is the right solution design-wise and security-wise! for expiring the session, you can use session.gc_maxlifetime.
对于 cookie,通过 session.cookie_lifetime 设置过期是设计和安全方面的正确解决方案!要使会话过期,您可以使用 session.gc_maxlifetime。
expiring the cookies by calling session_destroy might yield unpredictable results because they might have already been expired.
通过调用 session_destroy 使 cookie 过期可能会产生不可预测的结果,因为它们可能已经过期。
making the change in php.ini is also a valid solution but it makes the expiration global for the entire domain which might not be what you really want - some pages might choose to keep some cookies more than others.
在 php.ini 中进行更改也是一个有效的解决方案,但它会使整个域的过期时间变得全局,这可能不是您真正想要的 - 某些页面可能会选择比其他页面更多地保留某些 cookie。
回答by Dominic Ceraso
<?php
session_start();
if($_SESSION['login'] != 'ok')
header('location: /dashboard.php?login=0');
if(isset($_SESSION['last-activity']) && time() - $_SESSION['last-activity'] > 600) {
// session inactive more than 10 min
header('location: /logout.php?timeout=1');
}
$_SESSION['last-activity'] = time(); // update last activity time stamp
if(time() - $_SESSION['created'] > 600) {
// session started more than 10 min ago
session_regenerate_id(true); // change session id and invalidate old session
$_SESSION['created'] = time(); // update creation time
}
?>
回答by khaled_tn
session_cache_expire( 20 );
session_start(); // NEVER FORGET TO START THE SESSION!!!
$inactive = 1200; //20 minutes *60
if(isset($_SESSION['start']) ) {
$session_life = time() - $_SESSION['start'];
if($session_life > $inactive){
header("Location: user_logout.php");
}
}
$_SESSION['start'] = time();
if($_SESSION['valid_user'] != true){
header('Location: ../....php');
}else{
source: http://www.daniweb.com/web-development/php/threads/124500
来源:http: //www.daniweb.com/web-development/php/threads/124500
