We can use the sessions in PHP to store or persist the temporary data of the user for a specified duration as discussed in Using Sessions in PHP. PHP still needs to store the session id using Cookie on the browser or client-side as shown in Fig 1.
The session id stored on the browser in the PHPSESSID Cookie is the only way that PHP can use to identify the user session on the server-side. This still exposes the PHPSESSID Cookie for the attackers to steal it and query the server to process requests on behalf of the actual user. This leads to session hijacking where the stolen session id can be used by the attackers to access data from the active session. To prevent unauthorized requests, we can also use a strong cryptographic token which keeps on changing for every request made by the client.
We can further tighten the security by timing out the session as soon as it's usage is over. This also erases the session cookie on the browser or client-side. This tutorial provides the methods to set the timeout for the sessions in PHP. We can timeout the PHP session either programmatically or using the session.gc_maxlifetime configuration in PHPs ini file or by calling ini_set function.
Update PHP ini
We can update the session.gc_maxlifetime by updating the PHPs ini file. I have provided a few examples as shown below.
# WampServer -> Example -> <WampServer Path>/bin/php/php7.2.14/php.ini # XAMPP -> Example -> <XAMPP Path>/php/php.ini # Ubuntu -> Apache Example -> /etc/php/7.2/apache2/php.ini
Now search your php.ini file for session.gc_maxlifetime and update it as shown below.
; After this number of seconds, stored data will be seen as 'garbage' and ; cleaned up by the garbage collection process. ; http://php.net/session.gc-maxlifetime ;session.gc_maxlifetime = 1440 session.gc_maxlifetime = 900
I have updated the default value of 24 minutes to 15 minutes as shown above. Now restart Apache or Nginx server based on your server setup.
You may also timeout the cookies by changing the default value of 0 to the same value of session timeout. Make sure that you renew the Cookie expiry time on each request in such a case.
; Lifetime in seconds of cookie or, if 0, until browser is restarted. ; http://php.net/session.cookie-lifetime ;session.cookie_lifetime = 0 session.cookie_lifetime = 900
Use the ini_set Function
We can also use the ini_set function instead of changing the default session timeout duration as shown in the previous step. We can call the ini_set function to change session.gc_maxlifetime as shown below.
// Configure timeout to 15 minutes $timeout = 900;
// Set the maxlifetime of session ini_set( "session.gc_maxlifetime", $timeout );
// Also set the session cookie timeout
ini_set( "session.cookie_lifetime", $timeout );
// Now start the session session_start();
// Update the timeout of session cookie $sessionName = session_name();
if( isset( $_COOKIE[ $sessionName ] ) ) {
setcookie( $sessionName, $_COOKIE[ $sessionName ], time() + $timeout, '/' ); }
Programmatic Session Timeout
We can timeout a session programmatically without modifying the PHP configurations using the example as shown below. This works exactly in the way we want it without relying on the PHPs garbage collection which might not timeout the session at the specified duration as discussed in the previous sections.
// Start the session session_start();
// Session timeout duration in seconds
// Specify value lesser than the PHPs default timeout of 24 minutes
$timeout = 900;
// Check existing timeout variable
if( isset( $_SESSION[ 'lastaccess' ] ) ) {
// Time difference since user sent last request
$duration = time() - intval( $_SESSION[ 'lastaccess' ] );
// Destroy if last request was sent before the current time minus last request
if( $duration > $timeout ) {
// Clear the session
session_unset();
// Destroy the session
session_destroy();
// Restart the session
session_start(); } }
// Set the last request variable
$_SESSION['lastaccess'] = time();
Summary
This tutorial provided the details about the importance of session timeout and also provided the options to specify the duration to timeout the session.