7

I want to have a timer going to run every 3 minutes on the page (javascript), to detect if a php session ($_SESSION) has timed out... and if so, redirect them automatically.

A good example would be, a user logs in and runs up stairs, and never comes back down... I want the javascript to log them out with a simple redirect...

Is this possible? and how would I do such a thing? I am using PHP and JavaScript.

What Rob Kennedy said below is exactly what I am looking for:

...when the session times out, the browser should be told to navigate away from the current page. Some banks do this after a period of inactivity, for example.

isherwood
  • 58,414
  • 16
  • 114
  • 157
Kladskull
  • 10,332
  • 20
  • 69
  • 111

3 Answers3

12

You could use a simple meta refresh:

<meta http-equiv="refresh" content="180;url=http://example.com/logout" />

Or you implement a timeout with PHP:

session_start();
if (isset($_SESSION['LAST_REQUEST_TIME'])) {
    if (time() - $_SESSION['LAST_REQUEST_TIME'] > 180) {
        // session timed out, last request is longer than 3 minutes ago
        $_SESSION = array();
        session_destroy();
    }
}
$_SESSION['LAST_REQUEST_TIME'] = time();

Then you don’t need to check every 3 minutes if the session is still valid.

Gumbo
  • 643,351
  • 109
  • 780
  • 844
  • 3
    What if the user has multiple tab/windowss open? The session may still be alive. – Bob Jun 16 '09 at 18:02
  • 1
    Btw, meta refresh can also be sent as http header. With PHP that is: header("Refresh: 3600;url=http://example.com/logout"); – tehnomaag Jun 16 '09 at 18:04
  • header("Location: index.php");after session_destroy(); not redirecting to login page unless I am refreshing .How to redirect to login page automatically after destroying the session ? – Revathi May 30 '23 at 16:30
1

New and improved solution

As mr kennedy pointed out my original solution (below) doesn't work. so here is a way to do it.

In the user database keep a last-activity timestamp that updates every time a user loads a page.

Then in a checkaccess.php

if ( time-last_access > max_inactivity_time ) {
     return array('access' => '0');
}
else {
     return array('access' => '0');
}

Call checkaccess.php in the javascript timer(below) and logout accordingly

This also allows for a "currently logged in users" function

thanks mr kennedy

Original, non-working solution

Create a php page that returns 1 or 0 based on the validity of the current users session

Then in your pages that you want to timeout add this to the head (you need jquery)

setInterval(function(){
   var url = UrL_OF_SESSION_CHECKING_PAGE;
      $.getJSON( url,
         function( data ) {
            if (data.access=='0') {
               window.location = LOGIN_PAGE;
            }
         }
      );
}, 180000);

Every 180 seconds (3 minutes) it requests the php page and gets the validity of the session. If its invalid it redirects to a login page

If the user has multiple pages open the pages will timeout and redirect at different times because their timers are different.

Here's a good page on javscript timers http://ejohn.org/blog/how-javascript-timers-work/

Simple session checking page

session_start();
die(
    json_encode(
        isset( $_SESSION['VARIABLE'] ) ? array( 'access' => '1') : array( 'access' => '0' )
    )
);

change VARIABLE to one of your session variables

Galen
  • 29,976
  • 9
  • 71
  • 89
  • Andrew Moore shows a more complete implementation of [maintaining and checking last activity time](https://stackoverflow.com/a/1173553/199364). – ToolmakerSteve Apr 12 '19 at 09:16
0

If you want this to happen before the page is even refreshed, you'll want periodic ajax calls. You can use jQuery Heartbeat to make calls every 3 minutes, and use one of the PHP methods already provided by other users to check the session

sqram
  • 7,069
  • 8
  • 48
  • 66