0

I have searched extensively, and although I have found many questions regarding managing PHP sessions expiration times, I have found none dealing with my proposed method. I have working code, but wanted to pass it by this community to see if there are any unforeseen issues or potential exploitations. Thanks in advance for your feedback.

Essentially, once the shopping cart session is set, the page would begin to refresh every 10 minutes of inactivity. Once the total elapsed time (since session was set) exceeds 30 minutes, the user would be redirected to a page that destroys all sessions.

if (isset($_SESSION["shopping_cart"])) {

    echo '<meta http-equiv="refresh" content="600" />';

    if (!isset($_SESSION['timer'])) {
        $_SESSION['timer'] = time();
    }

    $now = time();
    $elapsed = $now - $_SESSION['timer'];

    if ($elapsed > 1800) {
        header('Location: session_reset.php');
        exit();
    }

}
Josef
  • 2,869
  • 2
  • 22
  • 23
dmarlowe
  • 1
  • 2
  • Good code indentation would help us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](https://www.php-fig.org/psr/psr-12/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly May 10 '21 at 14:49
  • What is the role of the refresh after that 10 minutes of inactivity? – Zoli Szabó May 10 '21 at 15:44
  • @ZoliSzabó to be able to run the PHP code below it. PHP will only execute on page load and/or http request and I am trying to avoid the use of some like JS. Essentially, it will check every 10 minutes to see if it's been longer than 30 minutes. – dmarlowe May 10 '21 at 16:38
  • There is no real need to "manually" handle session cleanup, because these can be controlled by the PHP config values (take a look at `session.cookie_lifetime` or `session.gc_maxlifetime`). Data stored in a session will not be available as soon as the session (cookie) expires. – Zoli Szabó May 10 '21 at 18:30
  • @ZoliSzabó That's not entirely accurate. I have set all of those values appropriately, but do not have full control over garbage collection and other cron jobs on the server. Also, there is more than one session set during the full checkout process on this site and we are having occasional issues of missing information where it seems one session may have expired but not another. I would much prefer having tighter control over not only session lifetime, but browser function. – dmarlowe May 10 '21 at 18:50
  • I do understand tighter control in some situations, but still not seeing the need for polling for proactive cleanup. What is the concrete situation where you want to actively garbage collect and not just leave the session to expire (session data will not be available after this point, even if it's still there somewhere on the server) and then expired session data will be deleted when will be deleted? – Zoli Szabó May 10 '21 at 19:03
  • The main goal is to have greater control over the user experience. Rather than sessions expiring in a somewhat random fashion potentially leading to unexpected (and not ideal) end-user experiences, I feel this method would allow us to control what a customer experiences if they have abandoned a cart on an open tab for half a day. They will end up back on a page of our choosing rather than receiving an error message or random redirect. – dmarlowe May 10 '21 at 19:16
  • For best user experience, you should consider keeping cart contents for forever. So even if somebody comes back after 2 days or 2 weeks, the items are still in the cart. I know I wouldn't want any shop to forget the items I put in the cart. I - as a buyer - do not think in sessions. – Zoli Szabó May 10 '21 at 19:54
  • The problem with "refresh" is when the user is currently busy and the page forces a refresh, if elapsed > 1800 it goes on to delete the session while I was busy..I'd be pissed...So I think is best to remove all sessions with something like when user clicks on done – Kevin Gales May 10 '21 at 20:21

1 Answers1

0

I don't see a problem with your code it checks every 10 minutes to see if the session time has exceeded 30 minutes and if it has redirects to kill the session.

Not sure why you would want to do this though? perhaps store the users basket in a cookie or local storage then kill the session and leave a notice - hey user sorry your session timed out but never fear we have saved your basket here ....

futureweb
  • 442
  • 4
  • 12