Extend Session Timeout Depending on users

Interesting. Does your script work? I am pretty sure that unless your script changes the php.ini file, it will not change it for the other users. Post the code for doing it from the script. I am guessing you could do a small if statement to test whether it's an intra or inter user and submit the appropriate timeout.

Is it something like:
[PHP]//Change the session timeout value to 1 hr
ini_set(?sessio n.gc_maxlifetim e?, 60*60);
[/PHP]

You would be able to differentiate between internet and intranet users by their IP address.

Usually the intranet has a specific subnet (most commonly 192.168.x.x)

get the users IP and match it to that subnet and you can distinguish between intranet and internet.

You can be sure, no one will have 192.168.x.x IP on the internet, that's reserved, but if its something else, fire your system admin. (joke)

-DM

I am not sure how you can do this by manipulating php.ini. Frankly I don't think that would work, because changes to php.ini do not take effect until the (Apache) server is restarted, at least on a Linux system (if I am not mistaken here).

I described in my post to this thread another way you can do something similar:

http://bytes.com/forum/thread795054.ht ml

Basically you leave the php.ini driven session life time to be relatively long, and you use the method I describe to time a user out if the difference between the time of their next page request and the time of their last page request is longer than the amount of time allowed for them. This way, you can make the maximum time allowed user dependent. When a user is timed out, you call session destroy functions to remove their session and session files.

I am doing this with two maximum times, one if the user is within the intranet and one if they are coming from outside.

The Servant that is pretty much my script

I like the check ip address suggestion. On every page, as apart of a security stragety I check to to see if the session is active. I could (if I understand correctly) check how long that session has been going for and kick them out if they have been around longer than 15 mins and from an external ip.

This is what I do. When a user logs on, I create an identity string composed of an identifier for the application that the user logged on to (I have a few different databases each requiring a separate log in), and the IP address, and store this in a session variable. Then at the start of every page request (I do this with a function called from an auto_prepend file script so it is called with every PHP request) I compre this stored session variable with the user's IP address and the application specific identifier. If no match, I log the user out (destroy the session) and present the log in page again.

I also give the user a much shorter allowable interval between page requests when coming from an external IP address.