PHP - Determining Session Timeout Length

Hi:

How do I set a password-protected page to time out after 20 minutes or so?

I thought it was doing it on the below page, but it is not working.

A tutorial I found online.

Login.php
Code: [Select]
<form name="form1" method="post" action="myLogin.php">

<input name="myUserName" type="text" size="40" id="myUserName">
<br /><br />
<input name="myPassword" type="password" size="40" id="myPassword">

</div>

<input type="submit" name="Submit" value="Login">

</form>

myLogin.php
Code: [Select]
<?php

ob_start();

// Connect to server and select database.
//mysql_connect("$host", "$username", "$password")or die("cannot connect");
//mysql_select_db("$db_name")or die("cannot select DB");

// Define $myUserName and $myPassword
$myUserName=$_POST['myUserName'];
$myPassword=$_POST['myPassword'];



// To protect MySQL injection (more detail about MySQL injection)
$myUserName = stripslashes($myUserName);
$myPassword = stripslashes($myPassword);

$myUserName = mysql_real_escape_string($myUserName);
$myPassword = mysql_real_escape_string($myPassword);


$sql="SELECT * FROM myAdmins WHERE myUserName='$myUserName' and myPassword='$myPassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myUserName and $myPassword, table row must be 1 row

if($count==1){
// Register $myUserName, $myPassword and redirect to file "a_Home.php"
session_register("myUserName");
session_register("myPassword");

header("location:a_Home.php");
}
else {

echo "


<html>

...

</html>
";
}

ob_end_flush();
?>

myCheckLogin.php (added to each page to see if the person logged-in via Login.php):
Code: [Select]
<?
session_start();
if(!session_is_registered(myUserName)){
header("location:Login.php");
}
?>

Any help would be great.

Thanks.

I have a form that is very long.  Sometimes the logged-in user will spend over 20 minutes on this screen and then when they hit submit, the session has already expired and they are redirected to the login screen and anything on that form is lost.
Is there a way to reset the session timeout to zero everytime they either click the screen with the mouse, or type something into a form field (without submitting the form)?  Not sure if this would only work with javascript or if there is php code that I would put in the beginning of the action.php that looks for whether the session has timed out and if so, add the form contents to the database first before logging them out?  A php solution like that would be preferable to a javascript one.
But also if the sessiopn has already expired, then the action.php script would be less secure if I put the code there because then anyone not logged in could use that page so that's probably not the solution.  Best solution would be to reset the session timer whenever they click ont he screen or start typing in the form.

For PHP 7.4, what is the recommended session length that I should be using to have the best security?

In DEV< in my php.ini file, session.sid_length = 26

According to the comments above that, it sounds like you can go up to 256.

Is it fair to assume that larger is more secure?

Also, if I set it to a larger size like 256, is tehre any risk of breaking things on my (VPS) web server running WHM/cPanel?

Hello everyone,

I've searched these forums for a while now trying to resolve a problem that I have with my sessions timing out before I would like them to, but I've only gotten confused about it.  I've read about changing some settings or adding code in my php.ini file but I have no idea what I'm doing when it comes to that.  I'm starting the session simply by having session_start(); at the top of each of my pages.  I'm including a copy of my entire php.ini file here so that you can see what I have already.  Can someone please help me to figure out what I would need to do to make my sessions last at least 8 hours?  Thanks in advance.

Here's my php.ini file:
Code: [Select]
register_globals = off
allow_url_fopen = off

expose_php = Off
max_input_time = 60
variables_order = "EGPCS"
extension_dir = ./
upload_tmp_dir = /tmp
precision = 12
SMTP = relay-hosting.secureserver.net
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=,fieldset="


; Only uncomment zend optimizer lines if your application requires Zend Optimizer support

;[Zend]
;zend_optimizer.optimization_level=15
;zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3
;zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3
;zend_extension=/usr/local/Zend/lib/Optimizer-3.3.3/ZendExtensionManager.so
;zend_extension_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3/ZendExtensionManager_TS.so


; -- Be very careful to not to disable a function which might be needed!
; -- Uncomment the following lines to increase the security of your PHP site.

;disable_functions = "highlight_file,ini_alter,ini_restore,openlog,passthru,
;       phpinfo, exec, system, dl, fsockopen, set_time_limit,
;                     popen, proc_open, proc_nice,shell_exec,show_source,symlink"

Hello All,

I have a PHP web application which will refresh itself(ajax calls connecting to the server and get the latest data) periodically. These also update the Database-based session handler class. i.e. There is NO UPDATE to the session data but the timestamp is constantly updated.


Our problem is that garbage collection does not kick in as it looks at the difference between timestamp and session_gc.maxlifetime. So, if  and the user is not interacting with the application.

Now my question is how can I force the timeout even though refreshing happens but the user is not interacting with the application and there are "phantom" session updates made by these ajax calls.

Please let me know. Thanks.

Hi all,

Yesterday I moved a web application from a normal cookie session to a use_trans_sid session because some users' browser didn't accept cookies.

This works great, but the session used to last for 45 minutes (set with session.gc_maxlifetime), but after the change the session times out faster.

(How) can I set the session length if I use use_trans_sid?

Thanks,

Base

PS: PHP version 5.2.13-1

I know the default length of a tiny int is less than an int, but if I put in the same length for both, are they essentially the same type?

Here is the scenario:

Members of my group turn in/donate uniform items they don't need to me...stuff that can be passed on to other members that need it.  I post these items onto our website.  A member, who needs an item, visits the site, and picks the items that they need.  After selecting everything they need, they provide only their name and maybe some comments, and submit the request.  An e-mail is generated and sent to me, listing out all the items the member has requested.  I gather the items, and bring them to the member at the next meeting.

My original plans were to use a shopping cart type script; however, I have since found out that I am not allowed a MySQL database on the server I am using!

I've seen some shopping carts out there that use php & excel, not requiring a database, but they are all trial, and have limitations of only like 10 items.

Does anyone have any ideas on the best way to handle this scenario?  I was thinking an html form of some type with check boxes next to each item; then, upon pressing submit, a php script sends me an e-mail listing the boxes they have checked.  Only problem with that is, having to update the php script each time I add/delete an item and it's checkbox (would have to add/delete that checkbox's name to the script each time...correct?).

Thanks for any suggestions,
- Jason

Hi Guys

Quick question.

I am just starting an application that enables users to upload files - specifically image files.

As one of the validation/security steps I want to run a check on file type and file size.

As far as i can see you do this one of two ways:

1) using the $_FILES array - i.e. $_FILES[name][type] and $_FILES[name][size]

or

2) using the getimagesize() function.


What i want to know is whether one of these methods is preferable for security or do they both suffer the same inherent flaws - because lots of post online seem to suggest filetype can be faked.

advice would be appreciated

Hey, I have a search feature that searches for words in my database.
I am currently storing all searches that users make in a table called `search`. I need to list the top 10 words that are searched for the most, excluding common words like "the, and, or, etc".
Because the searches users make are stored into a table, it should be fairly easy.
Could anyone give an example of how to do this?

Here's how my sql table looks:

table name: search

columns:
id (autoincrement)
phrase
date
resultsfound
ip

With this code I can determine the fieldname and the value.  They are $col_key and $col_value respectively:
Code: [Select]
$sql = "SELECT * FROM $tbl ";
$result = mysql_query($sql)
while ($line = mysql_fetch_array($result, MYSQL_ASSOC)) {
if ($row == 1) {
foreach ($line as $col_key => $col_value) {
But how do I determine the field TYPE (i.e. varchar, text, date etc)?

Could someone please advise the best way to determine the average of a DATE field in a SELECT query?    

I have a PHP script that downloads a file from a remote server but in order to download the correct file it has to subtract 1 day of the week.  It used to work quite some time ago so I dont know what is going on now.  The section of the script goes like this....

$days = array("sun","mon","tue","wed","thu","fri","sat");
$today = date("w");
$yesterday = $days[$today - 1];

Then it joins the 3 letter version of the day of week with a file name to grab the correct file download.  $yesterday is not returning the correct value instead I am getting an error...

# ./update.php 
PHP Notice:  Undefined offset: -1 in /root/fcc/work/update.php on line 6
fetching l_am_.zip
ncftpget: server said: l_am_.zip: No such file or directory.
PHP Warning:  unlink(counts): No such file or directory in /root/fcc/work/update.php on line 23
data set empty nothing to process 

Sun, 01 February, 2015 6:29:06 PM

So in the above error I can see that $yesterday is "Undefined offset" and because of that the file it tries to download is incorrect, it should have tried to download l_am_sat.zip and it left out the 3 letter date code.
Edited by chadrt, 01 February 2015 - 09:48 PM.

Hi, I found a tutorial online for a form which used PHP/MySQL and JQuery to submit data. I am making some modifications and the form no-longer submits the data. The problem I have is no errors display so I am not sure where the problem lies. I need to be able to display a success or failure message on the form itself, but this is either not there or not working. The code is below.

Code: [Select]
<form id="ContactForm" action="">
                <p>
                    <label>First Name</label>
                    <input id="FirstName" name="FirstName" class="inplaceError" maxlength="120" type="text" autocomplete="off"/>
<span class="error" style="display:none;"></span>
                </p>
                <p>
                    <label>Last Name</label>
                    <input id="LastName" name="LastName" class="inplaceError" maxlength="120" type="text" autocomplete="off"/>
<span class="error" style="display:none;"></span>
                </p>
                <p>
                    <label>User Name</label>
                    <input id="UserName" name="UserName" class="inplaceError" maxlength="120" type="text" autocomplete="off"/>
<span class="error" style="display:none;"></span>
                </p>
                <p>
                    <label>Email</label>
                    <input id="email" name="email" class="inplaceError" maxlength="120" type="text" autocomplete="off"/>
<span class="error" style="display:none;"></span>
                </p>
                <p>
                    <label>Website<span>(optional)</span></label>
                    <input id="website" name="website" class="inplaceError" maxlength="120" type="text" autocomplete="off"/>
                </p>
                <p>
                    <label>Your message<br /> <span>300 characters allowed</span></label>
                    <textarea id="message" name="message" class="inplaceError" cols="6" rows="5" autocomplete="off"></textarea>
<span class="error" style="display:none;"></span>
                </p>
                <p class="submit">
                    <input id="send" type="button" value="Submit"/>
                    <span id="loader" class="loader" style="display:none;"></span>
<span id="success_message" class="success"></span>
                </p>
<input id="newcontact" name="newcontact" type="hidden" value="1"></input>
            </form>


<?php
require_once("config.php"); /* Configuration File */

class DB{

private $link;

public function __construct(){
$this->link = mysqli_connect(DB_SERVER, DB_USER, DB_PASS,DB_NAME);
if (mysqli_connect_errno())
    exit();
}

public function __destruct() {
mysqli_close($this->link);
}

public function dbNewMessage($email,$FirstName,$LastName,$website,$message){
$email    = mysqli_real_escape_string($this->link,$email);
$FirstName  = mysqli_real_escape_string($this->link,$FirstName);
$LastName  = mysqli_real_escape_string($this->link,$LastName);
$UserName  = mysqli_real_escape_string($this->link,$UserName);
$website  = mysqli_real_escape_string($this->link,$website);
$message  = mysqli_real_escape_string($this->link,$message);

mysqli_autocommit($this->link,FALSE);

$query = "INSERT INTO contact_me(pk_contact,FirstName,LastName,UserName,email,website,message) 
  VALUES('NULL','$FirstName','$LastName','$UserName','$email','$website','$message')";
mysqli_query($this->link,$query);

if(mysqli_errno($this->link))
return -1;
else{
mysqli_commit($this->link);
return 1;
}
}   
};
?>





<?php
require_once("db.php"); /* Database Class */
require_once('utils/is_email.php'); /* Email Validation Script */

/* Handle Ajax Request */
if(isset($_POST['newcontact'])){
$contact = new Contact();
unset($contact);
}
else{
header('Location: /');
}

/* Class Contact */
class Contact{

private $db;  /* the database obj */

private $errors  = array();  /* holds error messages */
private $num_errors;    /* number of errors in submitted form */

public function __construct(){
$this->db = new DB();
if(isset($_POST['newcontact']))
$this->processNewMessage();
else
header("Location: /");
}

public function processNewMessage(){

$email = $_POST['email'];
$FirstName = $_POST['FirstName'];
$LastName = $_POST['LastName'];
$UserName = $_POST['UserName'];
$website = $_POST['website'];
$message = $_POST['message'];

/* Server Side Data Validation */

/* Email Validation */
if(!$email || mb_strlen($email = trim($email)) == 0)
$this->setError('email','required field');
else{
if(!is_email($email))
$this->setError('email', 'invalid email');
else if(mb_strlen($email) > 120)
$this->setError('email', 'too long! 120');
}

/* FirstName Validation */
if(!$FirstName || mb_strlen($FirstName = trim($FirstName)) == 0)
$this->setError('FirstName', 'required field');
else if(mb_strlen(trim($FirstName)) > 120)
$this->setError('FirstName', 'too long! 120 characters');

/* LastName Validation */
if(!$LastName || mb_strlen($LastName = trim($LastName)) == 0)
$this->setError('LastName', 'required field');
else if(mb_strlen(trim($LastName)) > 120)
$this->setError('LastName', 'too long! 120 characters');

/* UserName Validation */
if(!$UserName || mb_strlen($UserName = trim($UserName)) == 0)
$this->setError('UserName', 'required field');
else if(mb_strlen(trim($UserName)) > 120)
$this->setError('UserName', 'too long! 120 characters');

/* Website Validation */
if(!mb_eregi("^[a-zA-Z0-9-#_.+!*'(),/&:;=?@]*$", $website))
$this->setError('website', 'invalid website');
elseif(mb_strlen(trim($website)) > 120)
$this->setError('website', 'too long! 120 characters');

/* Message Validation */
$message = trim($message);
if(!$message || mb_strlen($message = trim($message)) == 0)
$this->setError('message','required field');
elseif(mb_strlen($message) > 300)
$this->setError('message', 'too long! 300 characters');

/* Errors exist */
if($this->countErrors() > 0){
$json = array(
'result' => -1, 
'errors' => array(
array('name' => 'email' ,'value' => $this->error_value('email')),
array('name' => 'FirstName' ,'value' => $this->error_value('FirstName')),
array('name' => 'LastName' ,'value' => $this->error_value('LastName')),
array('name' => 'UserName' ,'value' => $this->error_value('UserName')),
array('name' => 'website' ,'value' => $this->error_value('website')),
array('name' => 'message' ,'value' => $this->error_value('message'))
)
);
$encoded = json_encode($json);
echo $encoded;
unset($encoded);
}
/* No errors, insert in db*/
else{
if(($ret = $this->db->dbNewMessage($email, $FirstName, $LastName,$UserName, $website, $message)) > 0){
$json = array('result'  => 1); 
if(SEND_EMAIL)
$this->sendEmail($email,$name,$website,$message);
}
else
$json = array('result'  => -2); /* something went wrong in database insertion  */
$encoded = json_encode($json);
echo $encoded;
unset($encoded);
}
}

public function sendEmail($email,$name,$website,$message){
/* Just format the email text the way you want ... */
$message_body = "Hi, ".$name."(".$email." - ".$website.") sent you a message from yoursite.com\n"
."email: ".$email."\n"
."message: "."\n"
.$message; 
$headers = "From: ".EMAIL_FROM_NAME." <".EMAIL_FROM_ADDR.">";

return mail(EMAIL_TO,MESSAGE_SUBJECT,$message_body,$headers);
}

public function setError($field, $errmsg){
$this->errors[$field]  = $errmsg;
$this->num_errors  = count($this->errors);
}

public function error_value($field){
if(array_key_exists($field,$this->errors))
return $this->errors[$field];
else
return '';
}

public function countErrors(){
return $this->num_errors;
}
};
?>


and the JQuery
Code: [Select]
$(document).ready(function() {
contact.initEventHandlers();
});
var contact = {
initEventHandlers : function() {
/* clicking the submit form */
$('#send').bind('click',function(event){
$('#loader').show();
setTimeout('contact.ContactFormSubmit()',500);
});
/* remove messages when user wants to correct (focus on the input) */
$('.inplaceError',$('#ContactForm')).bind('focus',function(){
var $this = $(this);
var $error_elem = $this.next();
if($error_elem.length)
$error_elem.fadeOut(function(){$(this).empty()});
$('#success_message').empty();
});
/* user presses enter - submits form */
$('#ContactForm input,#ContactForm textarea').keypress(function (e) {
if ((e.which && e.which == 13) || (e.keyCode && e.keyCode == 13)) { 
$("#send").click();
return false; 
}
else 
return true; 
});
},
ContactFormSubmit : function() {
$.ajax({
   type : 'POST',
   url : 'php/contact.php?ts='+new Date().getTime(),
   dataType : 'json',
   data : $('#ContactForm').serialize(),
   success : function(data,textStatus){
  //hide the ajax loader
  $('#loader').hide();
  if(data.result == '1'){
      //show success message
  $('#success_message').empty().html('Message sent');
  //reset all form fields
  $('#ContactForm')[0].reset();
  //envelope animation
  $('#envelope').stop().show().animate({'marginTop':'-175px','marginLeft':'-246px','width':'492px','height':'350px','opacity':'0'},function(){
      $(this).css({'width':'246px','height':'175px','margin-left':'-123px','margin-top':'-88px','opacity':'1','display':'none'});
  });
  }
  else if(data.result == '-1'){
  for(var i=0; i < data.errors.length; ++i ){
      if(data.errors[i].value!='')
          $("#"+data.errors[i].name).next().html('<span>'+data.errors[i].value+'</span>').fadeIn();
  }
  }  
  },
   error : function(data,textStatus){}
});
} 
};

I am trying to write a script that runs through a CSV file and inserts unique values in a mysql database and spits the duplicate out into a new CSV.

I can find the duplicates when I load it into an array, but when I insert them into a MySQL database, I cannot determine if they are duplicates. 

If I use INSERT IGNORE, it will run the whole file, and reject the duplicates.  This is fine, except I need to create a file of the duplicate entries.

What is the best way to determine if the insert attempt was rejected?

I could do a select to see if the row is there, spit it out...insert if not, but I was thinking there should be a way for MySQL to talk back to me to cut the queries in half...

Any ideas?

Thanks