Restrict users to send not more, than 10 "tell a friend" messages.
I was using setState()/getState() for that. But that is insecure, one can substitute tafNum variable in cookie and spam. What can be done here? Where is it better so store such variables?
Additional question - how to control the session length? Is it possible to control max length and max inactivity length?
Didn't want to start a new post on that, and saw the last comment here about the CHttpSession's timeout property, which is what i need.
I'm trying to change session timeout from default (1440) to let's say 86400.
The server runs on linux and hosts multiple sites so i need to change also session savepath to 'my path' to disallow default shorter gc from removing my session.
The only way i've managed to do that is by setting
php_admin_value session.gc_maxlifetime 86400
php_admin_value session.save_path /tmp/mysite
When I tried to change CHttpSession object properties it didn't give any results, the session object was changed only within the current request, and after redirect the session properties were still default (1440, /tmp).
Does someone know what did i forget or did wrong ?
Cheers
greg
ps. code i used was in the LoginForm authenticate handler function:
Just needed to alter the lifetime of session in my Yii app as well and saw this old thread. For what its worth, I’ve written a blog post on session lifetime configuration in PHP that is still relevant. I recommend its reading as it summarizes pretty much everything one need to know to fully and securely command his PHP web app session lifetime. Here’s the post.