From: "Hans Lellelid" <[EMAIL PROTECTED]> > - keep your gc_maxlifetime as small as possible; that way if a user does > close their browser their session won't remain active for 12+ hours. > You might want to consider ways of periodically refreshing the page > using an iframe or even just a <meta refresh...> solution. That will > address the need to stay logged-in while the browser is open, while also > allowing you to have a very brief session lifetime.
Excellent points, Hans. One other thing to add. When a user requests a page and you determine that their session is not valid (probably because they've been inactive too long and the garbage collection deleted their session file), start a new session and store the filename and query string of the request before you redirect back to the login page. Then, after you validate any login, check for the existance of a saved page and query string and redirect there instead of your page page. The end result is a lot cleaner for the user. Sure, they'll have to log in again, but they'll be redirected right back to the page they requested, anyhow. You end up with shorter session files making hijacking harder and less frustration from the user having to navigate back to wherever they were. ---John Holmes... -- PHP Database Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php