PDA

View Full Version : Setting expiration of sessions


deafboyzaudio
04-19-2010, 05:15 PM
I have a forgot password page that sets a randomn session var when the user requests a reset password email.

I want this session var to expire after say 24 hours of being on the server. The user will not be logged in obviously so I am wondering how to set a expiration time for this....

??

davidj
04-22-2010, 08:20 AM
This is bad karma messing with sessions like this.

Id try and program this if possible

tux
04-22-2010, 02:43 PM
How about setting a timestamp in your DB at the moment they ask for a password reset. Then when they come back to complete the password change you could check how long has passed by taking a new timestamp and comparing the difference.

You would then have control over it and not have to rely on a session.

davidj
04-22-2010, 04:56 PM
Id do it with cookies set expiration to 24 hours

deafboyzaudio
04-23-2010, 03:20 AM
How about setting a timestamp in your DB at the moment they ask for a password reset. Then when they come back to complete the password change you could check how long has passed by taking a new timestamp and comparing the difference.

I like that idea but i dont want to bloat my whole members table with a timestamp 1 and 2 column for everyone.

I could do a separate table and only make rows for users that need it, then routinely delete ones older than say 48 hours....

d do it with cookies set expiration to 24 hours
i like this one too b/c its simple, but what if people have cookies disabled??

One question, do session vars set on the server auto expire after a certain amount of time??? I set a session var. when they request the reset password email, the name of that session(randomn 25 char) is put onto a query string in the link they click to verify the request for the reset password page....

Basically if sessions expire after say 24 hours, clicking the link after 24 hours would void the link even if it was validly requested... does that make sense?

Do I have to keep the auto expire session time of that session in mind when i choose a valid reset time to define?

davidj
04-23-2010, 02:54 PM
One question, do session vars set on the server auto expire after a certain amount of time???Yes they do but garbage collection doesn't destroy them every time. It plays chance based on some calculations which mean there could be as little as 5% chance they get disposed of when you want them to.

The thing is if your on a shared host then the session directives are shared also and everyone times out after the same interval or there abouts. Getting the host to change this value would be like asking them to stuff wasps down their pants.

You could implement the cookie thing first off and if a user does not have cookies enabled then use the db implementation to cover those people.

deafboyzaudio
04-27-2010, 05:14 PM
sounds good.... I wont have some time to implement this for a while but I will get to it as soon as I can. Thanks for the suggestions!!!