1
我正在創建一個登錄腳本,並且當用戶登錄時,他將能夠在他被系統註銷之前保留3個小時。php登錄會話超時錯誤
以下是我的login.php
....
$_SESSION['dgUserLoggedIn'] = true;
$_SESSION['timeout'] = time();
....
登錄-check.php這是在每個頁面的頂部這就需要身份驗證:
function isLoginSessionExpired() {
$login_session_duration = 10800;
$current_time = time();
if(isset($_SESSION['timeout']) and isset($_SESSION['dgUserLoggedIn'])){
if(((time() - $_SESSION['timeout']) > $login_session_duration)){
session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
$_SESSION['timeout'] = time(); // update creation time
return true;
}
}
return false;
}
if(isset($_SESSION["dgUserLoggedIn"])) {
if(isLoginSessionExpired()) {
header("Location: /core/logout.php");
}
}
與上面的代碼的用戶大約30分鐘後自動註銷,我如何確保用戶可以在3小時內保持登錄狀態,每刷新一次或訪問時間更新本身。
下面是我的會話setup.php
// **PREVENTING SESSION HIJACKING**
// Prevents javascript XSS attacks aimed to steal the session ID
ini_set('session.cookie_httponly', 1);
// Adds entropy into the randomization of the session ID, as PHP's random number
// generator has some known flaws
ini_set('session.entropy_file', '/dev/urandom');
// Uses a strong hash
ini_set('session.hash_function', 'whirlpool');
// **PREVENTING SESSION FIXATION**
// Session ID cannot be passed through URLs
ini_set('session.use_only_cookies', 1);
// server should keep session data for AT LEAST 1 hour
ini_set('session.gc_maxlifetime', 3600);
// each client should remember their session id for EXACTLY 1 hour
session_set_cookie_params(3600);
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
session_start();
嘗試改變'如果(((時間() - $ _SESSION ['timeout'])> $ login_session_duration)){'小於運營商。\ – Manish