From: "Hans Lellelid" <[EMAIL PROTECTED]>

> - keep your gc_maxlifetime as small as possible; that way if a user does
> close their browser their session won't remain active for 12+ hours.
> You might want to consider ways of periodically refreshing the page
> using an iframe or even just a <meta refresh...> solution.  That will
> address the need to stay logged-in while the browser is open, while also
> allowing you to have a very brief session lifetime.

Excellent points, Hans.

One other thing to add. When a user requests a page and you determine that
their session is not valid (probably because they've been inactive too long
and the garbage collection deleted their session file), start a new session
and store the filename and query string of the request before you redirect
back to the login page. Then, after you validate any login, check for the
existance of a saved page and query string and redirect there instead of
your page page.

The end result is a lot cleaner for the user. Sure, they'll have to log in
again, but they'll be redirected right back to the page they requested,
anyhow. You end up with shorter session files making hijacking harder and
less frustration from the user having to navigate back to wherever they

---John Holmes...

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to