weird session timeout for user inactivity

mbhramar · #1 (**permalink**) 06-17-2008, 07:23 AM

Hi,
What I want to do is very general & simple. I am sure I am missing something.

I am authenticating & a suer & setting session in the following way :

PHP Code:


			
$authAdapter = new Zend_Auth_Adapter_DbTable($db);



    $authAdapter->setTableName('users');



    $authAdapter->setIdentityColumn('username');



    $authAdapter->setCredentialColumn('password');



    // Set the input credential values to authenticate against



    $authAdapter->setIdentity($username);



    $authAdapter->setCredential($password);



    // do the authentication



    $auth = Zend_Auth::getInstance();



    $result = $auth->authenticate($authAdapter);



    if ($result->isValid()) {



    // success: store database row to auth's storage



    // system. (Not the password though!)



    $data = $authAdapter->getResultRowObject(null,



    'password');



    $auth->getStorage()->write($data);



        $fullName = Zend_Auth::getInstance()->getIdentity();



   



    // Set session expiry



    $authNamespace = new Zend_Session_Namespace('Zend_Auth');



    $authNamespace->user = $username;



    $authNamespace->setExpirationSeconds(1200);

Now what happens is that the user is authenticated & session is set but the session expires after 20 mins regardless of whether there was any inactivity or the user was actively working on the application.

What I need is that the session should expire only if there is an inactivity of 20mins, not just time lapse of 20 min. But as of now, even when I am actively clicking away on the app, I get logged out.
Please help. Also pls suggest any better way to do the above. I am sure I am not using the best methods available in this pool of ZF.

Thanks.
Mayank

rabergli · #2 (**permalink**) 06-27-2008, 06:01 PM

This method is rather brute-force, but it works reasonably well. First, in the bootstrap file, I started a session (this is a best practice anyway):

Code:

<?php
// ...

// Start up a session
require_once 'Zend/Session.php';
Zend_Session::start();

// ...

I created a LoginController.php separate from the other controllers. In that controller, I added this code (using a session namespace to track timeouts, as well as the user's current location):

Code:

<?php
// LoginController.php - Controls application login/logout

class LoginController extends Zend_Controller_Action
{
    // Application login function.  Runs under the URL http://app/Login/login.
    function loginAction()
    {
        // ... do the login stuff ...

        // .. at the point of a successful login ...
        if (Zend_Auth::getInstance()->hasIdentity()) {
            $authNamespace = new Zend_Session_Namespace('auth');
            // timeout is 20 minutes (1200 seconds)
            $authNamespace->timeout = time() + 1200;
            // If possible, redirect to the page we came from (see the
            // preDispatch routine).  Otherwise, go to the main index page.
            if (isset($authNamespace->requestUri)) {
                $this->_redirect($authNamespace->requestUri);
            } else {
                $this->_redirect('/');
            }
        }
    }
    // ...

In all the other controllers, I added a preDispatch() function, which is a hook provided by Zend to perform non-standard functions:

Code:

<?php
// IndexController.php (or any other controller other than LoginController)

class IndexController extends Zend_Controller_Action
{
    function preDispatch()
    {
        $authNamespace = new Zend_Session_Namespace('auth');
        // clear the identity of a user who has not accessed a controller for
        // longer than a timeout period.
        if (isset($authNamespace->timeout) && time() > $authNamespace->timeout) {
            Zend_Auth::getInstance()->clearIdentity();
        } else {
            // User is still active - update the timeout time.
            $authNamespace->timeout = time() + 1200;
            // Store the request URI so that an authentication after a timeout
            // can be directed back to the pre-timeout display.  The base URL needs to
            // be stripped off of the request URI to function properly.
            $authNamespace->requestUri = substr($this->_request->getRequestUri(),
                strlen(Zend_Controller_Front::getInstance()->getBaseUrl()));
        }
        // If the user has no identity here, there has either been a time out or the user has
        // not logged in yet.
        if (!Zend_Auth::getInstance()->hasIdentity()) {
            $this->_redirect('/Login/login');
        }
    }
    // ...

There is one downside to this code: after a timeout re-authentication, control returns back to where the user was at timeout (i.e., it does not follow the current request). To me, this is a fairly minor problem.

This code seems to work fine on these configurations:

Zend Framework v1.5.2 on Linux or OS-X
PHP v5.2.6 on Linux or OS-X
Apache v2.2.9 on Linux or OS-X
Firefox v3.0 on Linux
Konqueror v3.5.7 on Linux
Firefox v2.0.0.14 on OS-X
Safari v3.1.1 on OS-X

brreddy · #3 (**permalink**) 08-26-2008, 08:35 PM

check the next message

brreddy · #4 (**permalink**) 08-26-2008, 08:38 PM

Instead of adding preDispatch in all controllers you can register a plugin to Zend_Controller_Front and handle timeout in it.

in bootstrap:

Quote:

...
$front = Zend_Controller_Front::getInstance();
$front->setControllerDirectory('controllers');
$front->registerPlugin(new TimeoutHandlerPlugin());
$front->dispatch();
...

timeout handler plugin:

Quote:

class TimeoutHandlerPlugin extends Zend_Controller_Plugin_Abstract
{
public function preDispatch(Zend_Controller_Request_Abstract $request) {
// reset the timer here
}
}

Cheers,
Ravi

jweber · #5 (**permalink**) 09-02-2008, 04:25 AM

The long and the short of it: you need to reset the setExpirationSeconds method on every request if you want to have a sliding timeout.

I think a plugin is a way to go. No need to add code to every controller.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode