I have a PHP application (although I suppose the general concept would be the same with web applications in other languages) that is supposed to destroy the user's current session after 300 seconds of inactivity. But is there a good way to test that this actually works? I started up my application and let it sit idle for 300 seconds, then clicked on a link and got redirected to the login page -- which is what's supposed to happen when the session is destroyed. Then I did the same thing after only 290 seconds and again I got re-directed to the login page. So either my timing was off, or there's a bug in my checking for session timeout, or there's a bug in my setting the length of time before session timeout. How do I figure out which one it is?
Also, is there a way that I can figure this out without having to wait for the application to timeout with each test? Thanks.
How about setting the timeout to something more manageable/testable like 30s?
As well, when you create a session you can log emit when it should expire. Set a stopwatch, and verify.
