FUDforum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » Imported messages » comp.lang.php » session handler auto log out
Show: Today's Messages :: Polls :: Message Navigator
Switch to threaded view of this topic Create a new topic Submit Reply
session handler auto log out [message #176036] Sat, 19 November 2011 22:49 Go to next message
DavidB is currently offline  DavidB
Messages: 2
Registered: October 2011
Karma: 0
Junior Member
Hi everyone:

Is there a way to model a session handler to auto logout after a specified period of time without refreshing the page? Something similar to a bank website that auto logs me out and redirects me to another page.
Re: session handler auto log out [message #176037 is a reply to message #176036] Sat, 19 November 2011 23:29 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/19/2011 5:49 PM, DavidB wrote:
> Hi everyone:
>
> Is there a way to model a session handler to auto logout after a specified period of time without refreshing the page? Something similar to a bank website that auto logs me out and redirects me to another page.

HTTP is a request/response protocol. While you can set a session
timeout value on the server, you can't force the client to a different
page from the server. It requires a request from the client.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176038 is a reply to message #176036] Sun, 20 November 2011 00:11 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Sat, 19 Nov 2011 14:49:51 -0800, DavidB wrote:

> Is there a way to model a session handler to auto logout after a
> specified period of time without refreshing the page? Something similar
> to a bank website that auto logs me out and redirects me to another
> page.

Yes, but not in the server php.

All you can do in the server php is catch an invalid / unset / expired
session cookie, assume it related to an expired session, and do the
redirect when the user tries to reuse the expired session.

On the client side, you can set timeouts in javascript, which is I would
presume how banks implement such things, but I've never tried doing it
myself. Perhaps people on comp.lang.javascript could offer suggestions.

Rgds

Denis McMahon
Re: session handler auto log out [message #176044 is a reply to message #176036] Mon, 21 November 2011 14:07 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
DavidB, 2011-11-19 23:49:

> Is there a way to model a session handler to auto logout after a specified
> period of time without refreshing the page? Something similar to a bank
> website that auto logs me out and redirects me to another page.

If you want to force the client to redirect the user to another page as
soon as the session on the *server* times out you must do periodically
checks on the client e.g. using AJAX.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176046 is a reply to message #176044] Mon, 21 November 2011 14:13 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/21/2011 9:07 AM, Arno Welzel wrote:
> DavidB, 2011-11-19 23:49:
>
>> Is there a way to model a session handler to auto logout after a specified
>> period of time without refreshing the page? Something similar to a bank
>> website that auto logs me out and redirects me to another page.
>
> If you want to force the client to redirect the user to another page as
> soon as the session on the *server* times out you must do periodically
> checks on the client e.g. using AJAX.
>
>

Which is not what the op wants. But both Denis and myself already
pointed this out two days ago. What's your point?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176047 is a reply to message #176046] Mon, 21 November 2011 14:31 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Jerry Stuckle, 2011-11-21 15:13:

> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>> DavidB, 2011-11-19 23:49:
>>
>>> Is there a way to model a session handler to auto logout after a specified
>>> period of time without refreshing the page? Something similar to a bank
>>> website that auto logs me out and redirects me to another page.
>>
>> If you want to force the client to redirect the user to another page as
>> soon as the session on the *server* times out you must do periodically
>> checks on the client e.g. using AJAX.
>>
>>
>
> Which is not what the op wants. But both Denis and myself already
> pointed this out two days ago. What's your point?

Using AJAX is not "refreshing the page". You just said "needs a request"
and AJAX is a way to do a request.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176048 is a reply to message #176044] Mon, 21 November 2011 14:41 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 11/21/2011 3:07 PM, Arno Welzel wrote:
> DavidB, 2011-11-19 23:49:
>
>> Is there a way to model a session handler to auto logout after a specified
>> period of time without refreshing the page? Something similar to a bank
>> website that auto logs me out and redirects me to another page.
>
> If you want to force the client to redirect the user to another page as
> soon as the session on the *server* times out you must do periodically
> checks on the client e.g. using AJAX.
>
>

Hi Arno,

That approach could bite you in the back.
For example: If your session timeout is 30 minutes, and you check each
10 minutes via AJAX, you'll never log out because the AJAX request
"resets" the time-out to a new 30 minutes.
This can all be circumvented (if you know how Sessions work in PHP), but
I would advise the OP to follow Denis's advice and simply use a
window.setTimeout() in JavaScript. Much easier.

Regards,
Erwin Moller


--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
Re: session handler auto log out [message #176049 is a reply to message #176048] Mon, 21 November 2011 15:06 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Erwin Moller, 2011-11-21 15:41:

> On 11/21/2011 3:07 PM, Arno Welzel wrote:
>> DavidB, 2011-11-19 23:49:
>>
>>> Is there a way to model a session handler to auto logout after a specified
>>> period of time without refreshing the page? Something similar to a bank
>>> website that auto logs me out and redirects me to another page.
>>
>> If you want to force the client to redirect the user to another page as
>> soon as the session on the *server* times out you must do periodically
>> checks on the client e.g. using AJAX.
>>
>>
>
> Hi Arno,
>
> That approach could bite you in the back.
> For example: If your session timeout is 30 minutes, and you check each
> 10 minutes via AJAX, you'll never log out because the AJAX request
> "resets" the time-out to a new 30 minutes.

Of course i assumed that the AJAX request will not reset the session
timeout (and yes, i know how sessions work in PHP).

> This can all be circumvented (if you know how Sessions work in PHP), but
> I would advise the OP to follow Denis's advice and simply use a
> window.setTimeout() in JavaScript. Much easier.

I agree - setTimeout() is the easies solution in most cases. But you
have to take care that any further interaction will immediatly cancel
the timeout. Depending on the structure of the site and how interaction
is done (e.g. using AJAX and not complete reloads of the page), a simple
setTimeout() may not be enough.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176052 is a reply to message #176047] Mon, 21 November 2011 17:46 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/21/2011 9:31 AM, Arno Welzel wrote:
> Jerry Stuckle, 2011-11-21 15:13:
>
>> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>> DavidB, 2011-11-19 23:49:
>>>
>>>> Is there a way to model a session handler to auto logout after a specified
>>>> period of time without refreshing the page? Something similar to a bank
>>>> website that auto logs me out and redirects me to another page.
>>>
>>> If you want to force the client to redirect the user to another page as
>>> soon as the session on the *server* times out you must do periodically
>>> checks on the client e.g. using AJAX.
>>>
>>>
>>
>> Which is not what the op wants. But both Denis and myself already
>> pointed this out two days ago. What's your point?
>
> Using AJAX is not "refreshing the page". You just said "needs a request"
> and AJAX is a way to do a request.
>
>

It is a way which will NOT work.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176059 is a reply to message #176052] Tue, 22 November 2011 11:09 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Jerry Stuckle, 2011-11-21 18:46:

> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>> Jerry Stuckle, 2011-11-21 15:13:
>>
>>> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> DavidB, 2011-11-19 23:49:
>>>>
>>>> > Is there a way to model a session handler to auto logout after a specified
>>>> > period of time without refreshing the page? Something similar to a bank
>>>> > website that auto logs me out and redirects me to another page.
>>>>
>>>> If you want to force the client to redirect the user to another page as
>>>> soon as the session on the *server* times out you must do periodically
>>>> checks on the client e.g. using AJAX.
>>>>
>>>>
>>>
>>> Which is not what the op wants. But both Denis and myself already
>>> pointed this out two days ago. What's your point?
>>
>> Using AJAX is not "refreshing the page". You just said "needs a request"
>> and AJAX is a way to do a request.
>
> It is a way which will NOT work.

Why?



--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176060 is a reply to message #176059] Tue, 22 November 2011 11:18 Go to previous messageGo to next message
The Natural Philosoph is currently offline  The Natural Philosoph
Messages: 993
Registered: September 2010
Karma: 0
Senior Member
Arno Welzel wrote:
> Jerry Stuckle, 2011-11-21 18:46:
>
>> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 2011-11-21 15:13:
>>>
>>>> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> > DavidB, 2011-11-19 23:49:
>>>> >
>>>> >> Is there a way to model a session handler to auto logout after a specified
>>>> >> period of time without refreshing the page? Something similar to a bank
>>>> >> website that auto logs me out and redirects me to another page.
>>>> > If you want to force the client to redirect the user to another page as
>>>> > soon as the session on the *server* times out you must do periodically
>>>> > checks on the client e.g. using AJAX.
>>>> >
>>>> >
>>>> Which is not what the op wants. But both Denis and myself already
>>>> pointed this out two days ago. What's your point?
>>> Using AJAX is not "refreshing the page". You just said "needs a request"
>>> and AJAX is a way to do a request.
>> It is a way which will NOT work.
>
> Why?
>
>

Because Jerry Says So, And Jerry is Never Wrong.

>
Re: session handler auto log out [message #176066 is a reply to message #176059] Tue, 22 November 2011 12:18 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/22/2011 6:09 AM, Arno Welzel wrote:
> Jerry Stuckle, 2011-11-21 18:46:
>
>> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 2011-11-21 15:13:
>>>
>>>> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> > DavidB, 2011-11-19 23:49:
>>>> >
>>>> >> Is there a way to model a session handler to auto logout after a specified
>>>> >> period of time without refreshing the page? Something similar to a bank
>>>> >> website that auto logs me out and redirects me to another page.
>>>> >
>>>> > If you want to force the client to redirect the user to another page as
>>>> > soon as the session on the *server* times out you must do periodically
>>>> > checks on the client e.g. using AJAX.
>>>> >
>>>> >
>>>>
>>>> Which is not what the op wants. But both Denis and myself already
>>>> pointed this out two days ago. What's your point?
>>>
>>> Using AJAX is not "refreshing the page". You just said "needs a request"
>>> and AJAX is a way to do a request.
>>
>> It is a way which will NOT work.
>
> Why?
>
>
>

Because the AJAX call will reset the session timer, so the session will
never time out.

It also requires javascript running on the client, which may or may not
be the case.

And I did not say "refresh the page". I said "needs a request". I
didn't say what KIND of request.


-- g
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176067 is a reply to message #176060] Tue, 22 November 2011 12:20 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/22/2011 6:18 AM, The Natural Philosopher wrote:
> Arno Welzel wrote:
>> Jerry Stuckle, 2011-11-21 18:46:
>>
>>> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>>> Jerry Stuckle, 2011-11-21 15:13:
>>>>
>>>> > On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> >> DavidB, 2011-11-19 23:49:
>>>> >>
>>>> >>> Is there a way to model a session handler to auto logout after a
>>>> >>> specified
>>>> >>> period of time without refreshing the page? Something similar to
>>>> >>> a bank
>>>> >>> website that auto logs me out and redirects me to another page.
>>>> >> If you want to force the client to redirect the user to another
>>>> >> page as
>>>> >> soon as the session on the *server* times out you must do
>>>> >> periodically
>>>> >> checks on the client e.g. using AJAX.
>>>> >>
>>>> >>
>>>> > Which is not what the op wants. But both Denis and myself already
>>>> > pointed this out two days ago. What's your point?
>>>> Using AJAX is not "refreshing the page". You just said "needs a
>>>> request"
>>>> and AJAX is a way to do a request.
>>> It is a way which will NOT work.
>>
>> Why?
>>
>>
>
> Because Jerry Says So, And Jerry is Never Wrong.
>
>>

There's TNP again. I knew the troll would show up sooner or later.

Lost another job digging ditches because you couldn't figure out which
end of the shovel to use?

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176072 is a reply to message #176067] Tue, 22 November 2011 13:29 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Tue, 22 Nov 2011 07:20:01 -0500, Jerry Stuckle wrote:

> Lost another job digging ditches because you couldn't figure out which
> end of the shovel to use?

The end that creates the greater hole to dig himself into of course.

Rgds

Denis McMahon
Re: session handler auto log out [message #176073 is a reply to message #176066] Tue, 22 November 2011 15:55 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Jerry Stuckle, 2011-11-22 13:18:

> On 11/22/2011 6:09 AM, Arno Welzel wrote:
>> Jerry Stuckle, 2011-11-21 18:46:
>>
>>> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>>> Jerry Stuckle, 2011-11-21 15:13:
>>>>
>>>> > On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> >> DavidB, 2011-11-19 23:49:
>>>> >>
>>>> >>> Is there a way to model a session handler to auto logout after a specified
>>>> >>> period of time without refreshing the page? Something similar to a bank
>>>> >>> website that auto logs me out and redirects me to another page.
>>>> >>
>>>> >> If you want to force the client to redirect the user to another page as
>>>> >> soon as the session on the *server* times out you must do periodically
>>>> >> checks on the client e.g. using AJAX.
>>>> >>
>>>> >>
>>>> >
>>>> > Which is not what the op wants. But both Denis and myself already
>>>> > pointed this out two days ago. What's your point?
>>>>
>>>> Using AJAX is not "refreshing the page". You just said "needs a request"
>>>> and AJAX is a way to do a request.
>>>
>>> It is a way which will NOT work.
>>
>> Why?
>
> Because the AJAX call will reset the session timer, so the session will
> never time out.

And where did i say that the AJAX call should be *before* the session
times out?

And even if it is implemented this way - why should it not be possible
to implement a server side script which responds to the AJAX calls and
checks the existing session without resetting the session timeout?

Hint: It is also possible to implement a session handling on your own.

> It also requires javascript running on the client, which may or may not
> be the case.

In this case the automatic redirect will not occur, but the session will
time out anyway.

> And I did not say "refresh the page". I said "needs a request". I
> didn't say what KIND of request.

So using AJAX to send a request is fine ;-)



--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176083 is a reply to message #176073] Tue, 22 November 2011 18:18 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/22/2011 10:55 AM, Arno Welzel wrote:
> Jerry Stuckle, 2011-11-22 13:18:
>
>> On 11/22/2011 6:09 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 2011-11-21 18:46:
>>>
>>>> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>>> > Jerry Stuckle, 2011-11-21 15:13:
>>>> >
>>>> >> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> >>> DavidB, 2011-11-19 23:49:
>>>> >>>
>>>> >>>> Is there a way to model a session handler to auto logout after a specified
>>>> >>>> period of time without refreshing the page? Something similar to a bank
>>>> >>>> website that auto logs me out and redirects me to another page.
>>>> >>>
>>>> >>> If you want to force the client to redirect the user to another page as
>>>> >>> soon as the session on the *server* times out you must do periodically
>>>> >>> checks on the client e.g. using AJAX.
>>>> >>>
>>>> >>>
>>>> >>
>>>> >> Which is not what the op wants. But both Denis and myself already
>>>> >> pointed this out two days ago. What's your point?
>>>> >
>>>> > Using AJAX is not "refreshing the page". You just said "needs a request"
>>>> > and AJAX is a way to do a request.
>>>>
>>>> It is a way which will NOT work.
>>>
>>> Why?
>>
>> Because the AJAX call will reset the session timer, so the session will
>> never time out.
>
> And where did i say that the AJAX call should be *before* the session
> times out?
>

Backpeddling, huh?

> And even if it is implemented this way - why should it not be possible
> to implement a server side script which responds to the AJAX calls and
> checks the existing session without resetting the session timeout?
>

Backpeddling, huh?

> Hint: It is also possible to implement a session handling on your own.
>

Yup, not easy to do, though.

>> It also requires javascript running on the client, which may or may not
>> be the case.
>
> In this case the automatic redirect will not occur, but the session will
> time out anyway.
>

Sure. As it will if you don't use AJAX at all.

>> And I did not say "refresh the page". I said "needs a request". I
>> didn't say what KIND of request.
>
> So using AJAX to send a request is fine ;-)
>
>
>

ROFLMAO! No, I didn't say AJAX was OK.

Wise up. You were wrong, but refuse to admit it.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176087 is a reply to message #176073] Wed, 23 November 2011 02:09 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Tue, 22 Nov 2011 16:55:40 +0100, Arno Welzel wrote:

>> Because the AJAX call will reset the session timer, so the session will
>> never time out.
>
> And where did i say that the AJAX call should be *before* the session
> times out?

If the ajax call is made after the session has timed out, then you're
back to the previously discussed situation where you get a request
without a valid current session ID and do with it as you wish.

Any request, whether ajax initiated, a form submission, clicking a link,
grabbing an image etc will send the session cookie from the client to the
server if a session cookie is defined.

If php code is invoked to handle the request and that code invokes the
session handler, then the session timer will be reset and an updated
session cookie reflecting the new timeout / expiry will be sent to the
client.

> Hint: It is also possible to implement a session handling on your own.

Then you need to go and write your own session handler. Have fun.

Rgds

Denis McMahon
Re: session handler auto log out [message #176090 is a reply to message #176083] Wed, 23 November 2011 09:17 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Jerry Stuckle, 2011-11-22 19:18:

> On 11/22/2011 10:55 AM, Arno Welzel wrote:
>> Jerry Stuckle, 2011-11-22 13:18:
>>
>>> On 11/22/2011 6:09 AM, Arno Welzel wrote:
>>>> Jerry Stuckle, 2011-11-21 18:46:
>>>>
>>>> > On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>>> >> Jerry Stuckle, 2011-11-21 15:13:
>>>> >>
>>>> >>> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> >>>> DavidB, 2011-11-19 23:49:
>>>> >>>>
>>>> >>>>> Is there a way to model a session handler to auto logout after
>>>> >>>>> a specified
>>>> >>>>> period of time without refreshing the page? Something similar
>>>> >>>>> to a bank
>>>> >>>>> website that auto logs me out and redirects me to another page.
>>>> >>>>
>>>> >>>> If you want to force the client to redirect the user to another
>>>> >>>> page as
>>>> >>>> soon as the session on the *server* times out you must do
>>>> >>>> periodically
>>>> >>>> checks on the client e.g. using AJAX.
>>>> >>>>
>>>> >>>>
>>>> >>>
>>>> >>> Which is not what the op wants. But both Denis and myself already
>>>> >>> pointed this out two days ago. What's your point?
>>>> >>
>>>> >> Using AJAX is not "refreshing the page". You just said "needs a
>>>> >> request"
>>>> >> and AJAX is a way to do a request.
>>>> >
>>>> > It is a way which will NOT work.
>>>>
>>>> Why?
>>>
>>> Because the AJAX call will reset the session timer, so the session will
>>> never time out.
>>
>> And where did i say that the AJAX call should be *before* the session
>> times out?
>>
>
> Backpeddling, huh?

No. You just don't understand it.

>> And even if it is implemented this way - why should it not be possible
>> to implement a server side script which responds to the AJAX calls and
>> checks the existing session without resetting the session timeout?
>>
>
> Backpeddling, huh?

Nope.

>> Hint: It is also possible to implement a session handling on your own.
>>
>
> Yup, not easy to do, though.

Recording a timestamp and checking if the time of the last request by
the user (and not only the "check if session is still valid" request) is
not older than x minutes is "not easy"?

[...]
>>> And I did not say "refresh the page". I said "needs a request". I
>>> didn't say what KIND of request.
>>
>> So using AJAX to send a request is fine ;-)
>
> ROFLMAO! No, I didn't say AJAX was OK.
>
> Wise up. You were wrong, but refuse to admit it.

Nope. You just don't understand it.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176091 is a reply to message #176087] Wed, 23 November 2011 09:22 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Denis McMahon, 2011-11-23 03:09:

> On Tue, 22 Nov 2011 16:55:40 +0100, Arno Welzel wrote:
>
>>> Because the AJAX call will reset the session timer, so the session will
>>> never time out.
>>
>> And where did i say that the AJAX call should be *before* the session
>> times out?
>
> If the ajax call is made after the session has timed out, then you're
> back to the previously discussed situation where you get a request
> without a valid current session ID and do with it as you wish.

Which can be handled of course.

> Any request, whether ajax initiated, a form submission, clicking a link,
> grabbing an image etc will send the session cookie from the client to the
> server if a session cookie is defined.
>
> If php code is invoked to handle the request and that code invokes the
> session handler, then the session timer will be reset and an updated
> session cookie reflecting the new timeout / expiry will be sent to the
> client.
>
>> Hint: It is also possible to implement a session handling on your own.
>
> Then you need to go and write your own session handler. Have fun.

Maybe you should have a look to DokukWikis session handling as an example.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176093 is a reply to message #176087] Wed, 23 November 2011 09:55 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 11/23/2011 3:09 AM, Denis McMahon wrote:
> On Tue, 22 Nov 2011 16:55:40 +0100, Arno Welzel wrote:
>
>>> Because the AJAX call will reset the session timer, so the session will
>>> never time out.
>>
>> And where did i say that the AJAX call should be *before* the session
>> times out?
>
> If the ajax call is made after the session has timed out, then you're
> back to the previously discussed situation where you get a request
> without a valid current session ID and do with it as you wish.
>
> Any request, whether ajax initiated, a form submission, clicking a link,
> grabbing an image etc will send the session cookie from the client to the
> server if a session cookie is defined.

Hi Denis,

Are you sure a request for an *image* will modify the Session?

I thought the Session would only be updated if session_start() is used
(directly or indirectly by activation session.auto_start).

For a typical image request (one that goes only through the webserver
and don't call a PHP script to produce an image) I don't think the
webserver bothers to change the session / sessioncookie details.


>
> If php code is invoked to handle the request and that code invokes the
> session handler, then the session timer will be reset and an updated
> session cookie reflecting the new timeout / expiry will be sent to the
> client.

Yes.
So a typical image request will not modify the session, right?


>
>> Hint: It is also possible to implement a session handling on your own.
>
> Then you need to go and write your own session handler. Have fun.

It isn't that hard really.
Only the concurrency can give some problems (make a testingpage
consisting of 100 frames that all call a script, using the same session
is an easy way to test.)
And the documentation on php.net is good enough.

But I avoid using my own sessionhandlers when the built-in session logic
suffices.
But in some situation you *must* take some action when a session expires
without a user/client ("owner" of the session) sending a request, eg
releasing some locks.
I had situations where Person A is modifying a document.
During modification nobody else could open it.
When Person A neatly closes the action, Person B could open that
document and work on it.
Of course, many people simply walk away from their work, and don't close
their work, or log out, hence I had to find a way to find these open
document that should actually be closed, and custom session handlers are
by far the easiest approach.

Regards,
Erwin Moller


>
> Rgds
>
> Denis McMahon


--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
Re: session handler auto log out [message #176094 is a reply to message #176090] Wed, 23 November 2011 11:12 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/23/2011 4:17 AM, Arno Welzel wrote:
> Jerry Stuckle, 2011-11-22 19:18:
>
>> On 11/22/2011 10:55 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 2011-11-22 13:18:
>>>
>>>> On 11/22/2011 6:09 AM, Arno Welzel wrote:
>>>> > Jerry Stuckle, 2011-11-21 18:46:
>>>> >
>>>> >> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>>> >>> Jerry Stuckle, 2011-11-21 15:13:
>>>> >>>
>>>> >>>> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> >>>>> DavidB, 2011-11-19 23:49:
>>>> >>>>>
>>>> >>>>>> Is there a way to model a session handler to auto logout after
>>>> >>>>>> a specified
>>>> >>>>>> period of time without refreshing the page? Something similar
>>>> >>>>>> to a bank
>>>> >>>>>> website that auto logs me out and redirects me to another page.
>>>> >>>>>
>>>> >>>>> If you want to force the client to redirect the user to another
>>>> >>>>> page as
>>>> >>>>> soon as the session on the *server* times out you must do
>>>> >>>>> periodically
>>>> >>>>> checks on the client e.g. using AJAX.
>>>> >>>>>
>>>> >>>>>
>>>> >>>>
>>>> >>>> Which is not what the op wants. But both Denis and myself already
>>>> >>>> pointed this out two days ago. What's your point?
>>>> >>>
>>>> >>> Using AJAX is not "refreshing the page". You just said "needs a
>>>> >>> request"
>>>> >>> and AJAX is a way to do a request.
>>>> >>
>>>> >> It is a way which will NOT work.
>>>> >
>>>> > Why?
>>>>
>>>> Because the AJAX call will reset the session timer, so the session will
>>>> never time out.
>>>
>>> And where did i say that the AJAX call should be *before* the session
>>> times out?
>>>
>>
>> Backpeddling, huh?
>
> No. You just don't understand it.
>

I understand completely, backpeddler.

>>> And even if it is implemented this way - why should it not be possible
>>> to implement a server side script which responds to the AJAX calls and
>>> checks the existing session without resetting the session timeout?
>>>
>>
>> Backpeddling, huh?
>
> Nope.
>

Yep.

>>> Hint: It is also possible to implement a session handling on your own.
>>>
>>
>> Yup, not easy to do, though.
>
> Recording a timestamp and checking if the time of the last request by
> the user (and not only the "check if session is still valid" request) is
> not older than x minutes is "not easy"?
>

A lot more to it than that, if you actually understood session handling.

> [...]
>>>> And I did not say "refresh the page". I said "needs a request". I
>>>> didn't say what KIND of request.
>>>
>>> So using AJAX to send a request is fine ;-)
>>
>> ROFLMAO! No, I didn't say AJAX was OK.
>>
>> Wise up. You were wrong, but refuse to admit it.
>
> Nope. You just don't understand it.
>
>

I understand completely, backpeddler.

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176096 is a reply to message #176094] Wed, 23 November 2011 15:04 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Jerry Stuckle, 2011-11-23 12:12:

> On 11/23/2011 4:17 AM, Arno Welzel wrote:
>> Jerry Stuckle, 2011-11-22 19:18:
>>
>>> On 11/22/2011 10:55 AM, Arno Welzel wrote:
>>>> Jerry Stuckle, 2011-11-22 13:18:
>>>>
>>>> > On 11/22/2011 6:09 AM, Arno Welzel wrote:
>>>> >> Jerry Stuckle, 2011-11-21 18:46:
>>>> >>
>>>> >>> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>>> >>>> Jerry Stuckle, 2011-11-21 15:13:
>>>> >>>>
>>>> >>>>> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> >>>>>> DavidB, 2011-11-19 23:49:
>>>> >>>>>>
>>>> >>>>>>> Is there a way to model a session handler to auto logout after
>>>> >>>>>>> a specified
>>>> >>>>>>> period of time without refreshing the page? Something similar
>>>> >>>>>>> to a bank
>>>> >>>>>>> website that auto logs me out and redirects me to another page.
>>>> >>>>>>
>>>> >>>>>> If you want to force the client to redirect the user to another
>>>> >>>>>> page as
>>>> >>>>>> soon as the session on the *server* times out you must do
>>>> >>>>>> periodically
>>>> >>>>>> checks on the client e.g. using AJAX.
>>>> >>>>>>
>>>> >>>>>>
>>>> >>>>>
>>>> >>>>> Which is not what the op wants. But both Denis and myself already
>>>> >>>>> pointed this out two days ago. What's your point?
>>>> >>>>
>>>> >>>> Using AJAX is not "refreshing the page". You just said "needs a
>>>> >>>> request"
>>>> >>>> and AJAX is a way to do a request.
>>>> >>>
>>>> >>> It is a way which will NOT work.
>>>> >>
>>>> >> Why?
>>>> >
>>>> > Because the AJAX call will reset the session timer, so the session will
>>>> > never time out.
>>>>
>>>> And where did i say that the AJAX call should be *before* the session
>>>> times out?
>>>>
>>>
>>> Backpeddling, huh?
>>
>> No. You just don't understand it.
>>
>
> I understand completely, backpeddler.
>
>>>> And even if it is implemented this way - why should it not be possible
>>>> to implement a server side script which responds to the AJAX calls and
>>>> checks the existing session without resetting the session timeout?
>>>>
>>>
>>> Backpeddling, huh?
>>
>> Nope.
>>
>
> Yep.

You still don't get it.

>>>> Hint: It is also possible to implement a session handling on your own.
>>>>
>>>
>>> Yup, not easy to do, though.
>>
>> Recording a timestamp and checking if the time of the last request by
>> the user (and not only the "check if session is still valid" request) is
>> not older than x minutes is "not easy"?
>>
>
> A lot more to it than that, if you actually understood session handling.

I do.

>> [...]
>>>> > And I did not say "refresh the page". I said "needs a request". I
>>>> > didn't say what KIND of request.
>>>>
>>>> So using AJAX to send a request is fine ;-)
>>>
>>> ROFLMAO! No, I didn't say AJAX was OK.
>>>
>>> Wise up. You were wrong, but refuse to admit it.
>>
>> Nope. You just don't understand it.
>
> I understand completely, backpeddler.

No you don't. You said:

"While you can set a session timeout value on the server, you can't
force the client to a different page from the server. It requires a
request from the client."

You don't understand because you assume that any request will *always*
reset the session timeout and you assume that relying on PHPs own
session handling is the only way to go.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176097 is a reply to message #176096] Wed, 23 November 2011 15:39 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/23/2011 10:04 AM, Arno Welzel wrote:
> Jerry Stuckle, 2011-11-23 12:12:
>
>> On 11/23/2011 4:17 AM, Arno Welzel wrote:
>>> Jerry Stuckle, 2011-11-22 19:18:
>>>
>>>> On 11/22/2011 10:55 AM, Arno Welzel wrote:
>>>> > Jerry Stuckle, 2011-11-22 13:18:
>>>> >
>>>> >> On 11/22/2011 6:09 AM, Arno Welzel wrote:
>>>> >>> Jerry Stuckle, 2011-11-21 18:46:
>>>> >>>
>>>> >>>> On 11/21/2011 9:31 AM, Arno Welzel wrote:
>>>> >>>>> Jerry Stuckle, 2011-11-21 15:13:
>>>> >>>>>
>>>> >>>>>> On 11/21/2011 9:07 AM, Arno Welzel wrote:
>>>> >>>>>>> DavidB, 2011-11-19 23:49:
>>>> >>>>>>>
>>>> >>>>>>>> Is there a way to model a session handler to auto logout after
>>>> >>>>>>>> a specified
>>>> >>>>>>>> period of time without refreshing the page? Something similar
>>>> >>>>>>>> to a bank
>>>> >>>>>>>> website that auto logs me out and redirects me to another page.
>>>> >>>>>>>
>>>> >>>>>>> If you want to force the client to redirect the user to another
>>>> >>>>>>> page as
>>>> >>>>>>> soon as the session on the *server* times out you must do
>>>> >>>>>>> periodically
>>>> >>>>>>> checks on the client e.g. using AJAX.
>>>> >>>>>>>
>>>> >>>>>>>
>>>> >>>>>>
>>>> >>>>>> Which is not what the op wants. But both Denis and myself already
>>>> >>>>>> pointed this out two days ago. What's your point?
>>>> >>>>>
>>>> >>>>> Using AJAX is not "refreshing the page". You just said "needs a
>>>> >>>>> request"
>>>> >>>>> and AJAX is a way to do a request.
>>>> >>>>
>>>> >>>> It is a way which will NOT work.
>>>> >>>
>>>> >>> Why?
>>>> >>
>>>> >> Because the AJAX call will reset the session timer, so the session will
>>>> >> never time out.
>>>> >
>>>> > And where did i say that the AJAX call should be *before* the session
>>>> > times out?
>>>> >
>>>>
>>>> Backpeddling, huh?
>>>
>>> No. You just don't understand it.
>>>
>>
>> I understand completely, backpeddler.
>>
>>>> > And even if it is implemented this way - why should it not be possible
>>>> > to implement a server side script which responds to the AJAX calls and
>>>> > checks the existing session without resetting the session timeout?
>>>> >
>>>>
>>>> Backpeddling, huh?
>>>
>>> Nope.
>>>
>>
>> Yep.
>
> You still don't get it.
>
>>>> > Hint: It is also possible to implement a session handling on your own.
>>>> >
>>>>
>>>> Yup, not easy to do, though.
>>>
>>> Recording a timestamp and checking if the time of the last request by
>>> the user (and not only the "check if session is still valid" request) is
>>> not older than x minutes is "not easy"?
>>>
>>
>> A lot more to it than that, if you actually understood session handling.
>
> I do.
>
>>> [...]
>>>> >> And I did not say "refresh the page". I said "needs a request". I
>>>> >> didn't say what KIND of request.
>>>> >
>>>> > So using AJAX to send a request is fine ;-)
>>>>
>>>> ROFLMAO! No, I didn't say AJAX was OK.
>>>>
>>>> Wise up. You were wrong, but refuse to admit it.
>>>
>>> Nope. You just don't understand it.
>>
>> I understand completely, backpeddler.
>
> No you don't. You said:
>
> "While you can set a session timeout value on the server, you can't
> force the client to a different page from the server. It requires a
> request from the client."
>
> You don't understand because you assume that any request will *always*
> reset the session timeout and you assume that relying on PHPs own
> session handling is the only way to go.
>
>

No, but I also know that any request which does not reset the timeout
does not cause a redirect.

We are talking PHP sessions here, not something you've cobbled up on the
side. And that's how PHP sessions work.


--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176099 is a reply to message #176093] Wed, 23 November 2011 18:53 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Wed, 23 Nov 2011 10:55:36 +0100, Erwin Moller wrote:

> On 11/23/2011 3:09 AM, Denis McMahon wrote:
>> On Tue, 22 Nov 2011 16:55:40 +0100, Arno Welzel wrote:
>>
>>>> Because the AJAX call will reset the session timer, so the session
>>>> will never time out.
>>>
>>> And where did i say that the AJAX call should be *before* the session
>>> times out?
>>
>> If the ajax call is made after the session has timed out, then you're
>> back to the previously discussed situation where you get a request
>> without a valid current session ID and do with it as you wish.
>>
>> Any request, whether ajax initiated, a form submission, clicking a
>> link, grabbing an image etc will send the session cookie from the
>> client to the server if a session cookie is defined.

> Are you sure a request for an *image* will modify the Session?
>
> I thought the Session would only be updated if session_start() is used
> (directly or indirectly by activation session.auto_start).

Read what I wrote again:

1) Any request ... will send the session cookie from the client to the
server if a session cookie is defined.

This is something that the client does - if it has valid (non expired)
cookies for the server and makes a request to the server, it sends the
cookies.

So yes, the client browser sends the cookies with every request,
including images etc.

If the request is then served by php (and you can serve any content with
php) _and_ that php invokes the session handler, then the php session
timer is reset in the server, and an updated session cookie will be sent
back to the client browser.

eg if my web page includes <img src="server/getimage.php?imgid=76">

and getimage.php looks something like:

<?php
session_start();
$imageId = 2;
if (isset($_POST['imgid'])) $tmpImgId = intval($_POST['imgid']);
if ($tmpImgId > 1 && $tmpImgId < 1000) $imageId = $tmpImgId;
$imgFile = "/disks/images/webimages/{$imageId}.png"
if (file_exists($imgFile)) {
$size = getimagesize($imgFile);
if $size) {
header('Content-Type: ' . $size['mime'];);
header('Content-Length: ' . filesize($imgFile));
ob_clean();
flush();
readfile($imgFile);
exit;
}
else {
// error - not an identifiable image file
}
}
else {
// error - file doesn't exist
}
?>

(I may not have included all the relevant error handling, validations and
verifications)

Then requesting this image will reset any session expiry timer on the
server.

Rgds

Denis McMahon
Re: session handler auto log out [message #176101 is a reply to message #176090] Wed, 23 November 2011 18:58 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Wed, 23 Nov 2011 10:17:45 +0100, Arno Welzel wrote:

>>> Hint: It is also possible to implement a session handling on your own.

>> Yup, not easy to do, though.

> Recording a timestamp and checking if the time of the last request by
> the user (and not only the "check if session is still valid" request) is
> not older than x minutes is "not easy"?

and the session variables?

Rgds

Denis McMahon
Re: session handler auto log out [message #176104 is a reply to message #176101] Wed, 23 November 2011 19:42 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Denis McMahon, 2011-11-23 19:58:

> On Wed, 23 Nov 2011 10:17:45 +0100, Arno Welzel wrote:
>
>>>> Hint: It is also possible to implement a session handling on your own.
>
>>> Yup, not easy to do, though.
>
>> Recording a timestamp and checking if the time of the last request by
>> the user (and not only the "check if session is still valid" request) is
>> not older than x minutes is "not easy"?
>
> and the session variables?

They get lost, as soon as the PHP session times out of course - but by
doing periodically request using JavaScript this will not happen, so one
has to implement additional logic to maintain your application specific
session timeout and to distinguish between the periodically session
checks via JavaScript and "real" requests caused by user interaction.

In case JavaScript is not available, the session will just time out, any
session variable will be lost and usually the redirection to a "session
timed out" page will be done using the referrer which indicates the
previous page was one which is only accessible for logged in users.

If there is even no referrer you can not distinguish between a session
timeout or a new session and you have to redirect to a general login
page, maybe with an additional explanation like "maybe your session
timed out because we did not receive any request for more than 5
minutes" or similar.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176106 is a reply to message #176104] Wed, 23 November 2011 23:07 Go to previous messageGo to next message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Wed, 23 Nov 2011 20:42:40 +0100, Arno Welzel wrote:

> Denis McMahon, 2011-11-23 19:58:
>
>> On Wed, 23 Nov 2011 10:17:45 +0100, Arno Welzel wrote:
>>
>>>> > Hint: It is also possible to implement a session handling on your
>>>> > own.

>>>> Yup, not easy to do, though.

>>> Recording a timestamp and checking if the time of the last request by
>>> the user (and not only the "check if session is still valid" request)
>>> is not older than x minutes is "not easy"?

>> and the session variables?

> They get lost, as soon as the PHP session times out of course - but by
> doing periodically request using JavaScript this will not happen, so one
> has to implement additional logic to maintain your application specific
> session timeout and to distinguish between the periodically session
> checks via JavaScript and "real" requests caused by user interaction.

I was asking how you're going to handle session variables in your own
session handler.

It seems you're not going to handle them ....

Rgds

Denis McMahon
Re: session handler auto log out [message #176107 is a reply to message #176106] Thu, 24 November 2011 04:57 Go to previous messageGo to next message
Jerry Stuckle is currently offline  Jerry Stuckle
Messages: 2598
Registered: September 2010
Karma: 0
Senior Member
On 11/23/2011 6:07 PM, Denis McMahon wrote:
> On Wed, 23 Nov 2011 20:42:40 +0100, Arno Welzel wrote:
>
>> Denis McMahon, 2011-11-23 19:58:
>>
>>> On Wed, 23 Nov 2011 10:17:45 +0100, Arno Welzel wrote:
>>>
>>>> >> Hint: It is also possible to implement a session handling on your
>>>> >> own.
>
>>>> > Yup, not easy to do, though.
>
>>>> Recording a timestamp and checking if the time of the last request by
>>>> the user (and not only the "check if session is still valid" request)
>>>> is not older than x minutes is "not easy"?
>
>>> and the session variables?
>
>> They get lost, as soon as the PHP session times out of course - but by
>> doing periodically request using JavaScript this will not happen, so one
>> has to implement additional logic to maintain your application specific
>> session timeout and to distinguish between the periodically session
>> checks via JavaScript and "real" requests caused by user interaction.
>
> I was asking how you're going to handle session variables in your own
> session handler.
>
> It seems you're not going to handle them ....
>
> Rgds
>
> Denis McMahon

Nope, but that's because he has no idea what he's doing. I suspect
someone told him posting in usenet would bring him business. But the
failed to impress on him that posting ACCURATE guidance on usenet is
what's needed. Otherwise he's just making a fool of himself (and
driving away business).

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex(at)attglobal(dot)net
==================
Re: session handler auto log out [message #176111 is a reply to message #176106] Thu, 24 November 2011 08:47 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Denis McMahon, 2011-11-24 00:07:

> On Wed, 23 Nov 2011 20:42:40 +0100, Arno Welzel wrote:
>
>> Denis McMahon, 2011-11-23 19:58:
>>
>>> On Wed, 23 Nov 2011 10:17:45 +0100, Arno Welzel wrote:
>>>
>>>> >> Hint: It is also possible to implement a session handling on your
>>>> >> own.
>
>>>> > Yup, not easy to do, though.
>
>>>> Recording a timestamp and checking if the time of the last request by
>>>> the user (and not only the "check if session is still valid" request)
>>>> is not older than x minutes is "not easy"?
>
>>> and the session variables?
>
>> They get lost, as soon as the PHP session times out of course - but by
>> doing periodically request using JavaScript this will not happen, so one
>> has to implement additional logic to maintain your application specific
>> session timeout and to distinguish between the periodically session
>> checks via JavaScript and "real" requests caused by user interaction.
>
> I was asking how you're going to handle session variables in your own
> session handler.
>
> It seems you're not going to handle them ....

Yep - because it is not neccessary *replace* the PHP session handler -
just some additional logic is needed to "emulate" a timeout and to
destroy the session if the timeout is reached.


--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176112 is a reply to message #176107] Thu, 24 November 2011 08:53 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Jerry Stuckle, 2011-11-24 05:57:

> On 11/23/2011 6:07 PM, Denis McMahon wrote:
>> On Wed, 23 Nov 2011 20:42:40 +0100, Arno Welzel wrote:
>>
>>> Denis McMahon, 2011-11-23 19:58:
>>>
>>>> On Wed, 23 Nov 2011 10:17:45 +0100, Arno Welzel wrote:
>>>>
>>>> >>> Hint: It is also possible to implement a session handling on your
>>>> >>> own.
>>
>>>> >> Yup, not easy to do, though.
>>
>>>> > Recording a timestamp and checking if the time of the last request by
>>>> > the user (and not only the "check if session is still valid" request)
>>>> > is not older than x minutes is "not easy"?
>>
>>>> and the session variables?
>>
>>> They get lost, as soon as the PHP session times out of course - but by
>>> doing periodically request using JavaScript this will not happen, so one
>>> has to implement additional logic to maintain your application specific
>>> session timeout and to distinguish between the periodically session
>>> checks via JavaScript and "real" requests caused by user interaction.
>>
>> I was asking how you're going to handle session variables in your own
>> session handler.
>>
>> It seems you're not going to handle them ....
>>
>> Rgds
>>
>> Denis McMahon
>
> Nope, but that's because he has no idea what he's doing. I suspect

Aha. I wonder, how i managed to run my own sites for the last seven
years if i don't have any idea what i'm doing. A miracle ;-)

> someone told him posting in usenet would bring him business. But the
> failed to impress on him that posting ACCURATE guidance on usenet is
> what's needed. Otherwise he's just making a fool of himself (and
> driving away business).

I see, you still don't get it and you decided to insult people.



--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176117 is a reply to message #176112] Thu, 24 November 2011 10:19 Go to previous messageGo to next message
Arno Welzel is currently offline  Arno Welzel
Messages: 317
Registered: October 2011
Karma: 0
Senior Member
Arno Welzel, 2011-11-24 09:53:

> Jerry Stuckle, 2011-11-24 05:57:
>
>> On 11/23/2011 6:07 PM, Denis McMahon wrote:
>>> On Wed, 23 Nov 2011 20:42:40 +0100, Arno Welzel wrote:
>>>
>>>> Denis McMahon, 2011-11-23 19:58:
>>>>
>>>> > On Wed, 23 Nov 2011 10:17:45 +0100, Arno Welzel wrote:
>>>> >
>>>> >>>> Hint: It is also possible to implement a session handling on your
>>>> >>>> own.
>>>
>>>> >>> Yup, not easy to do, though.
>>>
>>>> >> Recording a timestamp and checking if the time of the last request by
>>>> >> the user (and not only the "check if session is still valid" request)
>>>> >> is not older than x minutes is "not easy"?
>>>
>>>> > and the session variables?
>>>
>>>> They get lost, as soon as the PHP session times out of course - but by
>>>> doing periodically request using JavaScript this will not happen, so one
>>>> has to implement additional logic to maintain your application specific
>>>> session timeout and to distinguish between the periodically session
>>>> checks via JavaScript and "real" requests caused by user interaction.
>>>
>>> I was asking how you're going to handle session variables in your own
>>> session handler.
>>>
>>> It seems you're not going to handle them ....
>>>
>>> Rgds
>>>
>>> Denis McMahon
>>
>> Nope, but that's because he has no idea what he's doing. I suspect
>
> Aha. I wonder, how i managed to run my own sites for the last seven
> years if i don't have any idea what i'm doing. A miracle ;-)
>
>> someone told him posting in usenet would bring him business. But the
>> failed to impress on him that posting ACCURATE guidance on usenet is
>> what's needed. Otherwise he's just making a fool of himself (and
>> driving away business).
>
> I see, you still don't get it and you decided to insult people.

I'm not sure if you will understand it - but as a "quick & dirty"
demonstration of what i'm talking about:

<http://arnowelzel.de/samples/sessiondemo.php>

And the source for this::

<http://arnowelzel.de/samples/sessiondemo.php.txt>



--
Arno Welzel
http://arnowelzel.de
http://de-rec-fahrrad.de
Re: session handler auto log out [message #176132 is a reply to message #176099] Fri, 25 November 2011 09:40 Go to previous messageGo to next message
Erwin Moller is currently offline  Erwin Moller
Messages: 228
Registered: September 2010
Karma: 0
Senior Member
On 11/23/2011 7:53 PM, Denis McMahon wrote:
> On Wed, 23 Nov 2011 10:55:36 +0100, Erwin Moller wrote:
>
>> On 11/23/2011 3:09 AM, Denis McMahon wrote:
>>> On Tue, 22 Nov 2011 16:55:40 +0100, Arno Welzel wrote:
>>>
>>>> > Because the AJAX call will reset the session timer, so the session
>>>> > will never time out.
>>>>
>>>> And where did i say that the AJAX call should be *before* the session
>>>> times out?
>>>
>>> If the ajax call is made after the session has timed out, then you're
>>> back to the previously discussed situation where you get a request
>>> without a valid current session ID and do with it as you wish.
>>>
>>> Any request, whether ajax initiated, a form submission, clicking a
>>> link, grabbing an image etc will send the session cookie from the
>>> client to the server if a session cookie is defined.
>
>> Are you sure a request for an *image* will modify the Session?
>>
>> I thought the Session would only be updated if session_start() is used
>> (directly or indirectly by activation session.auto_start).
>
> Read what I wrote again:
>
> 1) Any request ... will send the session cookie from the client to the
> server if a session cookie is defined.
>
> This is something that the client does - if it has valid (non expired)
> cookies for the server and makes a request to the server, it sends the
> cookies.
>
> So yes, the client browser sends the cookies with every request,
> including images etc.
>
> If the request is then served by php (and you can serve any content with
> php) _and_ that php invokes the session handler, then the php session
> timer is reset in the server, and an updated session cookie will be sent
> back to the client browser.
>
> eg if my web page includes<img src="server/getimage.php?imgid=76">
>
> and getimage.php looks something like:
>
> <?php
> session_start();

etc..

<snip>

Hi Dennis,

OK, Then we agree completely.

The reason I interrupted was simply that we were discussing updating
session expiration. In that context your former posting could easily be
misinterpreted, although you didn't write it exactly that the session
expiration would be updated by a typical image request (no PHP involved).
And I just wanted to make that point clear. :-)

Regards,
Erwin Moller

--
"That which can be asserted without evidence, can be dismissed without
evidence."
-- Christopher Hitchens
Re: session handler auto log out [message #176150 is a reply to message #176132] Sat, 26 November 2011 18:36 Go to previous message
Denis McMahon is currently offline  Denis McMahon
Messages: 634
Registered: September 2010
Karma: 0
Senior Member
On Fri, 25 Nov 2011 10:40:29 +0100, Erwin Moller wrote:

> The reason I interrupted was simply that we were discussing updating
> session expiration. In that context your former posting could easily be
> misinterpreted, although you didn't write it exactly that the session
> expiration would be updated by a typical image request (no PHP
> involved). And I just wanted to make that point clear. :-)

Yeah, there were two points I was trying to get across:

a) If the client has a session cookie applicable to a request that it is
making, it sends the cookie; and

b) If the server handles the request with php that invokes the session
handler, then the session timeout will get updated

If both above conditions (a and b) are true, it doesn't matter what's
being requested (pdf files, favicon, linked style sheets, javascript
files, images, archives of some sort whether compressed or not, ajax
requests etc), the session timer gets updated in the process of servicing
the request and an updated session cookie is issued.

But I thought I made it fairly clear originally that I was only talking
about cases where the request was served by a php script that invoked the
session handler in the process.

Rgds

Denis McMahon
  Switch to threaded view of this topic Create a new topic Submit Reply
Previous Topic: preg_match() oddities and question
Next Topic: Phone number formatting
Goto Forum:
  

-=] Back to Top [=-
[ Syndicate this forum (XML) ] [ RSS ]

Current Time: Fri Nov 22 03:19:31 GMT 2024

Total time taken to generate the page: 0.03357 seconds