* Thus wrote Seth Willits ([EMAIL PROTECTED]):
> From what I see, the default timeout for a session is 1440 seconds or
> 24 minutes. I was gone for nearly an hour, came back, and the session
> was still valid. Must the value set in the config file be different
> than 1440, or am I misunderstanding session.gc_maxlifetime? I'd like
> for the user to be required to log in if they've been inactive for 10
> minutes, or if they closed the browser window and opened another one.
The issue with the session still being around when your browser
closed then reopened has to with the ini setting:
session.cookie_lifetime
You want it to be 0, for it to expire as soon as the browser closes.
You might want to manage your lifetime of the session yourself,
like Tom Rogers suggested. This will also avoid issues with clock
settings on the client's computer. So a set up with something like
this:
php.ini:
session.cookie_lifetime = 0
file.php:
$lifetime = (60 * 10); // 10 minutes lifetime
session_start();
if (! empty($_SESSION['last_access'] &&
$_SESSION['last_access'] >= (time() + $lifetime) ) {
// Session has expired
$_SESSION = array(); // kill session
} else {
$_SESSION['last_access'] = time();
}
-OR-
if you're not worried about the client's clock being fast or slow:
php.ini:
session.cookie_lifetime = 10;
Curt
--
"I used to think I was indecisive, but now I'm not so sure."
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
