Working with Sessions in PHP

[FatalException]

I'm trying to design a site that uses sessions in PHP, but I'm having some trouble. I want to make it so that if a user clicks a link on page1.php of my website, it takes them to page2.php of the site and displays a variable that I stored in the session on page 1. However, if they go DIRECTLY to page2.php, I want it to show nothing or produce an error. Now, it does this OK as long as the person has never been to the site before - but if they go to page1.php, click the link (which takes them to page2.php), it displays the information as it should... but then if they return to the site later and go DIRECTLY to page2.php without clicking the link on page1.php, it STILL has the information stored and displays it. Refreshing the page doesn't help.

It's like once a session is made in PHP, it never gets vaporized, even if the browser is closed and reopened. I'd like it so that after, say, 5 minutes the session expired and all variables opened in that session automatically closed, but I can't for the life of me figure out how to do this. I tried playing with the session_cache_expire() function, as described on php.net, but it doesn't do what I want. Ideas?

page1.php code:

PHP Code:

<?php
session_cache_expire(1);
session_start();
$_SESSION['EXISTS']=1;
$_SESSION['data']="This is the text stored in the data variable.";
echo "<br ><a href=\"page2.php\">Click Here</a>";
$sid=session_id();
echo "<br >$sid";
?>

page2.php code:

PHP Code:

<?php
session_cache_expire(1);  //should make data vanish after 1 minute!
session_start();
$expire_val=session_cache_expire();
echo "Expiration $expire_val<br>";
$out=$_SESSION['data'];
echo "Information: $out<br>";
?>

[FatalException]

Sorry to bump so soon after the original post, but any help would be appreciated. Thanks!

[jkrohn]

How about adding a referrer check? Depending on your need for security this would do the job.

Jkrohn

[jkrohn]

Also take a look at the session variables in php.ini. Might be something useful in there.
Specificly gc_maxlifetime.

[FatalException]

I guess the underlying intention is to get the session to expire after about 10 minutes. Currently, it takes over 1 hour to do it. I just don't know where that default setting is. Referrer checks won't work since we're working with personal information that is somewhat sensitive.

I don't have access to php.ini on my server, either. So I was hoping to implant a special variable into the session somewhere that would cause an earlier expiration.

[Blazer06]

What if you were to use session cookies instead? Or is that not an option?

If you just want them to be able to view for X minutes, I would just make and check for a cookie… that way they could close the browser, thirty seconds later open it, go to your site again with no problems, yet in X minutes, they would have to re-log in / whatever.


-Blaze

[jkrohn]

Try changing the cache option in php.ini.

Jkrohn

[FatalException]

Quote:

Originally Posted by Blazer06

What if you were to use session cookies instead? Or is that not an option?

If you just want them to be able to view for X minutes, I would just make and check for a cookie… that way they could close the browser, thirty seconds later open it, go to your site again with no problems, yet in X minutes, they would have to re-log in / whatever.

PHP does use session cookies by default, and that is what I'm using in this situation. How do I poison the cookie, though, to kill itself after a certain amount of time? They are generated automatically on the client-side by the "start_session()" function.

[FatalException]

Quote:

Originally Posted by jkrohn

Try changing the cache option in php.ini.

Unfortunately I don't have access to that file on the server. I was hoping for a variable that I could create along with the session to specify how long it should last before it times out due to inactivity. Ideas?