Time Limited Session

[eluser]saintfalcon[/eluser]
Hi,

I am developing a site with CI and session library.
What I want to make is a time-limited-session.
ex:
User A logged in at 10.20 AM.
User A do nothing until 10.58 AM. --> more than 15 mins of inactivity.
When user A tries to do something, he would be kicked out to login page again.

User B logged in at 10.15 AM.
User B do nothing until 10.25 AM. --> less than 15 mins of inactivity.
When user B tries to do something, it all went normal and inactivity counter reseted back to 15 mins.

I can't seem to make it happen with CI session.
Anyone can help?

Thanks in advance,


Yohan W.

[eluser]WanWizard[/eluser]
See the user guide, session library, bottom of the page. You'll find the session parameters (in particular 'sess_expiration') described at the bottom.

[eluser]saintfalcon[/eluser]
Yes, I do that.
but from I experienced, it goes like this. I can't reset inactivity period/counter back to 15 mins after User do something.

set sess_expiration value to 15 mins

User A logged in at 10.20 AM.
User A do something at 10.30 AM.—> less than 15 mins of inactivity.
User A do everything until 10.21 AM.
When user A tries to do something, he would be kicked out to login page again.

FYI, I'm using db_session

[eluser]WanWizard[/eluser]
If you're using a third party solution, it would be handy to mention that at the beginning. I wouldn't have bothered to answer, as I don't use that library.

Maybe ask this to whoever has created that library?

[eluser]saintfalcon[/eluser]
Er..

this "db_session" i said previously is... CI session saved to database *doh that's what i meant before, i just can't explain it well.. my bad.. sorry*

each time a user does something, i check his session_id with database's session_id. if it match then that user is able to work, else he should log in again.

[eluser]WanWizard[/eluser]
Very confusing indeed, as there is also an third party library called db_session...


You shouldn't fiddle with the internals of the session. The proper way to use the session is to use session variables:
when the controller loads, you check for a specific session variable (for example user_id'). If it exists, the user is logged in. If not, the user is not logged in. In your login form, create this session variable after you have done your validations. When the user clicks on logout, delete the variable. No need to manually handle session_id's, or create or destroy sessions.

There is a second reason why using session_id's in your application is a bad idea. For security purposes, the session library rotates session_id. This means that while the session is still valid, the session_id has changed.