Logout Time/ Login Session Logout Time/ Login Session
 

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Main Menu

Logout Time/ Login Session

Started by papneja, May 16, 2010, 06:55:41 PM

Previous topic - Next topic

0 Members and 5 Guests are viewing this topic.

papneja

Ive read many documents and forums but i have yet to learn how to enable the autologout function...

I am NOT BRIDGING... therefore the use of the config.ini.php method (ive tried) hasnt worked

Does anyone know how to end a session?
My current installation, my sessions are not logging out.  And im not using the remember me function.

phill104

Please post a link to your gallery as per the board rules.
It is a mistake to think you can solve any major problems just with potatoes.

papneja

sorry...
its a private site
but a demo version is up same database setup and site configuration... just no pictures

you can register there is no verification...

http://cpg.kdfonline.com/

papneja

I ment coppermine.ini.php
sorry i quoted the wrong file in my previous

Joachim Müller

Quote from: papneja on May 16, 2010, 09:40:48 PMyou can register there is no verification...
How generous of you. We will definitely no go through registration just to be able to support you, even if the registration is for free. ::)

Quote from: papneja on May 16, 2010, 09:40:48 PM
sorry...
its a private site
We don't care for that. There is no support for "private" sites - if you can't post a link to your actual coppermine-driven gallery, we can not support you. We need to look at the real thing and not some made-up nonsense.

Quote from: papneja on May 16, 2010, 09:55:22 PM
I ment coppermine.ini.php
sorry i quoted the wrong file in my previous
There is no file in the package we provide that is named coppermine.ini.php

Quote from: papneja on May 16, 2010, 06:55:41 PMIve read many documents and forums but i have yet to learn how to enable the autologout function...
Decrease the lifetime of the cookie set by coppermine. You can do so for an unbridged install inside the file bridge/coppermine.inc.php as suggested in the posting Could it possible to set time-out time after login?. You have to keep in mind though that Nibbler's advice was written for cpg1.4.x. In cpg1.5.x, the code has changed slightly to                    // set the session cookie
                    setcookie( $this->client_id, $this->session_id, time() + (CPG_WEEK*2), $CONFIG['cookie_path'] );

papneja

Before selecting coppermine I was told that the help forums are rude and it's one reason why many insist on using gallery instead.
My actual site is on my localhost. You would have learned that if you checked the root domain. And the help I needed didn't require the person helping to see personal pictures.
The fact it's a private site and help isn't awarded makes coppermine the inferior system. There are many people who would love to have private functional sites. Maybe coppermine should change it's policies.
Lastly Helping someone is a kind guesture and it's always appreciated. But insulting them when providing help is not needed. That kind help is useless, and unproductive.   

But you will not go unappreciated. Thank you for replying. I'll try your suggestion and see what happens. I don't really understand which value to change and to what. Don't worry trail and error will get it right.

Αndré

Quote from: http://www.php.net/manual/en/function.setcookie.phpbool setcookie  (  string $name  [,  string $value  [,  int $expire = 0  [,  string $path  [,  string $domain  [,  bool $secure = false  [,  bool $httponly = false  ]]]]]] )

You have to change the third value to your needs:
Quotesetcookie( $this->client_id, $this->session_id, time() + (CPG_WEEK*2), $CONFIG['cookie_path'] );
Currently the cookie will be stored for 2 weeks.


Off-topic:
Quote from: papneja on May 17, 2010, 09:10:33 AM
Before selecting coppermine I was told that the help forums are rude [...]
That's mostly told by lazy people who don't respect the board rules and don't read the docs. We don't want to see your private picture, but want to verify that you are using an up-to-date (and 'licensed') version of our application. You can't image how much people ask for support and run an ancient version of Coppermine. A lot of effort can be saved by our rules, as we don't have the man-power to discuss with every new user who wants to get spoon-fed.

papneja

Thank for the reply
Ive tried many things even your suggestion. but nothing works...

I was reading the code made some sense of it...
I searched other files to see how each value was being defined... Can you explain me one thing...

// set the session cookie
                    setcookie( $this->client_id, $this->session_id, [b]time() + (CPG_WEEK*2)[/b], $CONFIG['cookie_path'] );


In the other files CPG_HOUR/WEEK are defined as a value...
In this file CPG is not defined... yet its time() + a value = defined value.

Not understanding; assuming that time doesnt need to be defined, and that time = seconds... would it be possible to wrtie the code as such

// set the session cookie
                    setcookie( $this->client_id, $this->session_id, [b]time(3600)[/b], $CONFIG['cookie_path'] );


If so, can i apply this change to the following as well?
// Lifetime of 'remember me' session is 2 weeks
                $rememberme_life_time = [b]time(1209600)[/b];

                // Lifetime of normal session is 1 hour
                $session_life_time = [b]time(3600)[/b];


I ask since the current lifetime settings are non functional for me

Lastly
I noticed something that might be coded wrong... but you will know best...
// Delete old sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time [b]<[/b] $session_life_time AND remember = 0";
                    cpg_db_query($sql, $this->link_id);

                    // Delete stale 'remember me' sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time [b]<[/b] $rememberme_life_time";
                    cpg_db_query($sql, $this->link_id);


i believe that the current code will not delete the session, since time is less than session_life
So with your expert opinion if i make the change to greater than. Following
// Delete old sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time [b]>[/b] $session_life_time AND remember = 0";
                    cpg_db_query($sql, $this->link_id);

                    // Delete stale 'remember me' sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time [b]>[/b] $rememberme_life_time";
                    cpg_db_query($sql, $this->link_id);


Again im not an expert...
Im just having a really hard time getting the session validation working...
users are not being logged out, and the family is pressuring me to switch to gallery which i dont want to...
any help... again, my site is localhosted, there is a demo up at
http://cpg.kdfonline.com
it has all the same system files and settings as my localhost.

sorry for the inconvenience
if anyone knows how to get this working please help

Αndré

#8
Please read the PHP docs for time(): http://php.net/manual/de/function.time.php http://www.php.net/manual/en/function.time.php [Edit Joachim] Replaced link to German PHP documentation with link to English one [/Edit]
setcookie( $this->client_id, $this->session_id, time(3600), $CONFIG['cookie_path'] );
has to be
setcookie( $this->client_id, $this->session_id, time() + 3600, $CONFIG['cookie_path'] );


The better approach of course will be to set the life times in the database instead of client-sided:
               // Lifetime of 'remember me' session is 2 weeks
               $rememberme_life_time = time()-(CPG_WEEK*2);

               // Lifetime of normal session is 1 hour
               $session_life_time = time()-CPG_HOUR;




Quote from: papneja on May 17, 2010, 01:42:27 PM
I noticed something that might be coded wrong
No that's correct and works.

Αndré

I found the cause. To reduce database queries we only sometimes kill old sessions. If you have a gallery with little access, the session will be extended.

In bridge/coppermine.inc.php, find
                // only clean up old sessions sometimes
                if (rand(0, 100) == 42){
               
                    // Delete old sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $session_life_time AND remember = 0";
                    cpg_db_query($sql, $this->link_id);

                    // Delete stale 'remember me' sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $rememberme_life_time";
                    cpg_db_query($sql, $this->link_id);
                }

and replace with
                // only clean up old sessions sometimes
               
                    // Delete old sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $session_life_time AND remember = 0";
                    cpg_db_query($sql, $this->link_id);

                    // Delete stale 'remember me' sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $rememberme_life_time";
                    cpg_db_query($sql, $this->link_id);

and confirm if your issue is solved. Keep in mind that the session will be extended if you browse through the gallery. Only if you haven't visited the gallery for 1 hour (default), you will be logged out.


This problem should be addressed generally imo. We should replace the random number approach with a timer similar we do in session_update:
                    // only update session time once per minute at maximum
                    if (!isset($this->sessiontime) || (time() - $this->sessiontime < 60)) {
                        return false;
                    }

papneja

Thank you for the help
I lost the remember me function... would love to get get back have no idea how...
I was wondering if i could make a setcookie function with an if statement?
If remember me then +cpg_week*2
than
,expire=0,

I have to say, your links to php, really helped... to those who are not computer educated, php.net is useless for them... but i fixed my issue by setting expire = 0... doing so i lost remember me function...

great idea for not spoon feeding... thanks really learned something today.
any ideas for remember me?

sorry for the back to back questions... but really appreciate the help

papneja

sorry didnt see your post ill give it a try right now
thanks

papneja

Quote from: Αndré on May 17, 2010, 02:37:53 PM

                // only clean up old sessions sometimes
               
                    // Delete old sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $session_life_time AND remember = 0";
                    cpg_db_query($sql, $this->link_id);

                    // Delete stale 'remember me' sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $rememberme_life_time";
                    cpg_db_query($sql, $this->link_id);


Did this change... i dont know how to create a timer so i really cant do the 2nd set... i wouldnt know where to begin or even where to add it...

But after doing the change this is what i got
Parse error: syntax error, unexpected T_IF, expecting T_FUNCTION in /Users/Papneja/Sites/copperminerc/bridge/coppermine.inc.php on line 253

This method that you prescribed, wouldnt delete the cookie once the browser closes...
using expire=0 makes delete possible... i wonder how facebook and gmail fixed this issue...
Where if the user wants to be remembered, the cookie isnt deleted for time... but if user doesnt want to be remember, user is promoted to login each time browser opens...

maybe an approach to this would be (current settings) CPG_MIN instead of HOUR with the session deleted upon closers

The approach to expire = 0, is problematic since the database gets a new entry each time with no delete of previous visit

again sorry for the trouble... thanks for the help

Αndré

Quote from: papneja on May 17, 2010, 03:30:40 PM
This method that you prescribed, wouldnt delete the cookie once the browser closes...
using expire=0 makes delete possible... i wonder how facebook and gmail fixed this issue...
We talked about different things. If you want to delete the cookie when the browser closes, you have to enter '0' at the expire parameter, as described in the docs:
Quote from: http://www.php.net/manual/en/function.setcookie.phpThe time the cookie expires. This is a Unix timestamp so is in number of seconds since the epoch. In other words, you'll most likely set this with the time() function plus the number of seconds before you want it to expire. Or you might use mktime(). time()+60*60*24*30 will set the cookie to expire in 30 days. If set to 0, or omitted, the cookie will expire at the end of the session (when the browser closes).

Solved?

papneja

I guess its solved to the best it can be...

When i used the system default parameters the 1hour session fails to function...
even if i change the setting to time()+60.. even after 1min ("60") of non activity the system keeps the user logged in... even if i quit the browser and reopened it after 10mins/1hour the user is still online...

your suggestion to remove the if statement, just gave me an error and i have no idea how to resolve that...

The expire = 0 parameter accomplihsed 90% of what i would like... with this setting, the user is logged out once user closes bowser... however there are 3 problems with expire=0...
1)if user is inactive with browser open, the user still remains logged in after x#hours
2)Remember Me option doesnt work at all. at the database level remember = 1. however since cookie is lost asap remember me function is obsolete
3) New session entires are made each login, and old session entries are not deleted. (space is being consumed)

not knowing much about php... logically thinking i found 1 solution which could get coppermine to function like gmail or facebook...

When system creates cookie, use a "if" statement for the following
1) If user logs in normally (without remember me) then setcookie [expire=0]
2) If user Logs in WITH Remember Me Then setcookie [expire= time() + (CPG_WEEK*2)


Now i have no idea if the above is possible... but if it is, would you know how to write it...
ive taken a look at the setcookie at php... they have a create/delete/multiple cookie example... nothing close to what i described...

if its not possible or is, please do infrom me... ill try to figure out some other way to get this working

papneja

ok i got your method working... but it still keeps the user logged in when browser closes... and solution to fix that?

Αndré

All you want to accomplish has been discussed and described here. Please read carefully the whole thread and try to understand what each change do.

You want to logout the user when his browser is closed -> set expire=0 if the user has not checked 'remember me'
You want to logout the user after inactivity and immediately delete old session entries -> remove the if clause including the trailing '}'

That's all and I assume some of these changes will go to core after a developer discussion.

papneja

your right everything is there.

Removing the IF-> fixes the session issue.
Setting Expire =0 -> fixes browser close issue.

But "remember me" function fails to work...
My current code is this
// set the session cookie
                    setcookie( $this->client_id, $this->session_id,[b] 0[/b], $CONFIG['cookie_path'] );
}

and
// only clean up old sessions sometimes
           
                    // Delete old sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $session_life_time AND remember = 0";
                    cpg_db_query($sql, $this->link_id);

                    // Delete stale 'remember me' sessions
                    $sql = "DELETE FROM {$this->sessionstable} WHERE time < $rememberme_life_time";
                    cpg_db_query($sql, $this->link_id);
               


This setup removes the remember me function completely... Since the cookie is deleted upon closing of the browser, remember me fails to reload the session, thus creating a new session in the database. (No "remember me")
So I tried to make the following changes to setcookie function...
// set the session cookie
[b]if ("$remember = 0") {[/b]
                    setcookie( $this->client_id, $this->session_id, 0, $CONFIG['cookie_path'] );
           [b] } else {[/b]
setcookie( $this->client_id, $this->session_id, time()+(CPG_WEEK*2), $CONFIG['cookie_path'] );
}

The Above settings also failed... Problem ==> for system to create a cookie with remember =0 system must access the database first. however the act of editing the database and creating the cookie are accomplished at the same time when user submits form

I tried your suggestion "If remember me"  as you can see the above was my approach...
Ive uploaded the new copermine.ini.php at http://cpg.kdfonline.com
you can take a look at it...
username - cpg
password - 123456
(only if you want to test it)

again i apologize for wasting your time... maybe you have already solved my issue and i have failed to comprehend it... i do appreciate the help.
at the end of the day, ill be hoping the 1.5 final release will have this resolved...
Thank you

Αndré

The session is created before the user logs in. The only way I see is updating the expiry date of the cookie while logging in.

In bridge/coppermine.inc.php, find
                            if ($remember) {
                                    $remember_sql = ",remember = '1' ";
                            } else {
                                    $remember_sql = '';
                            }

and replace with
                            if ($remember) {
                                    $remember_sql = ",remember = '1' ";
                                    setcookie( $this->client_id, $this->session_id, time() + (CPG_WEEK*2), $CONFIG['cookie_path'] );
                            } else {
                                    $remember_sql = '';
                                    setcookie( $this->client_id, $this->session_id, 0, $CONFIG['cookie_path'] );
                            }

papneja

it worked...
thanks for all the help.