Session.gc_maxlifetime: It is used to set the time limit in seconds to store the session information in the server for a long time. The timeout limit of the session in PHP is configured using two directives in the php.ini file: Read the Session timeout considerations in this article. So your sessions should not last longer than 30 minutes. The session expiration timeout values must be set accordingly with the purpose and nature of the web application, and balance security and usability, so that the user can comfortably complete the operations within the web application without his session frequently expiring… Common idle timeouts ranges are 2-5 minutes for high-value applications and 15- 30 minutes for low risk applications.”įrom the federal guideline perspective, the draft NIST 800-63B – Digital Identity Guidelines proposes the following recommendation for providing high confidence for authentication: “Reauthentication of the subscriber SHALL be repeated following no more than 30 minutes of user inactivity.” ![]() The shorter the session interval is, the lesser the time an attacker has to use the valid session ID. ![]() “Insufficient session expiration by the web application increases the exposure of other session-based attacks, as for the attacker to be able to reuse a valid session ID and hijack the associated session, it must still be active. OWASP, one of the most authoritative web application security standards organizations, says about session timeouts: Typically the default PHP session timeout is 24 minutes ( 1440 seconds), but your webhost may have altered the default to something else. The PHP session timeout depends on the server configuration or the relevant directives session.gc_maxlifetime in php.ini file. In this post we gonna learn how to change the PHP Session Timeout. PHP has a default timeout session limit and sometimes it is not the timeout your application needs. Unlike a cookie, the information is not stored on the end users computer but in the application server.įor security reasons, sessions has a time limit to exist than they expire. If last user interaction time > greater than 5mins Then send ajax request to keep session alive.A session is a way to store information (in variables) to be used across multiple HTTP Requests, to simulate a “state” across pages navigation. To avoid numerous ajax calls to the server every time a user moves their mouse you can set the JavaScript to only send an ajax request once every 5 minutes or so. When a user event is fired an ajax request is sent to keep the session alive. For our web app I have developed a JavaScript engine which captures client side user interaction's such as, key down, mouse move, mouse clicks, scrolling etc. If you have to have sessions which expire, focus your efforts on recording user activity better so that sessions do not expire for active users.ĮDIT: E.g. if the user is using the site they should never see it AND if the user is not using the site they will never see it. Therefore warning the user of impending session expiry becomes irrelevant i.e. Logically, if the user is still using the site then their session should not expire. Well, Expiring a session is used to log the user out when they are not using the site/application to secure the data. ![]() Ok, so when we have to expire a session should we warn the user and give them the option to extend? That said in some situations such as bank sites we still need to expire sessions as we don't want to leave the door open for anyone to steal our money when we go to the loo or something. In an ideal world the session would never expire, like Facebook, Hotmail etc. The first thing to understand is that users don't care about sessions, the session is something you as a developer are forcing onto the user to meet your security/application needs.
0 Comments
Leave a Reply. |