1

I have this code that logs a user out if they don't change pages for 10 minutes.

$inactive = 600;

if(isset($_SESSION['timeout']) ) {
  $session_life = time() - $_SESSION['timeout'];
  if($session_life > $inactive) { 
    header("Location: logout.php"); 
  }
}

$_SESSION['timeout'] = time();

As you can see it's pretty straightforward. I include this function at the top of all my protected pages and if the script isn't run for 10 minutes, the next time you refresh the page, the user is sent to my logout script.

However that's the problem. After $session_life > $inactive becomes true, the script needs to be run again for the user to be logged out. I need the person to be immediately logged out as soon as this becomes true.

Is there any way to do this without things getting too complicated? (i.e. not using AJAX)

aadu
  • 3,196
  • 9
  • 39
  • 62
  • 2
    Instead of copying that code across all of your pages I'd include it in a header file that gets included...just in case you need to change your `$inactive` or other logic. Though like others have mentioned, you may need to move this to client side anyway – Aaron W. Jul 09 '12 at 11:12
  • It's already included in a header file. – aadu Jul 09 '12 at 11:13

4 Answers4

7

No. Your PHP code runs on every request. If you want the timeout to trigger "immediately" then you have to either spam the server with continuous requests (bad idea) or move the timeout logic to client-side code.

An appropriate solution could be to start a Javascript timer when the page loads and redirect the user to the logout page when the timer expires. If the user navigates to another page in the meantime the current timer would be discarded automatically and a new one started when that page loads. It can be as simple as this:

<script type="text/javascript">
    setTimeout(function() { window.location.href = "logout.php"; }, 60 * 10);
</script>

Update: Of course, you should also keep the server-side code to enforce the business rule on your own side. The Javascript will give you an "optimal" scenario when the client side cooperates; the PHP code will give you a guarantee if the client side works against you.

Jon
  • 428,835
  • 81
  • 738
  • 806
  • 1
    Or destroy the session before the redirect. – Leigh Jul 09 '12 at 11:12
  • Yeah, that sounds like the most appropriate method, Jon. Thanks. – aadu Jul 09 '12 at 11:14
  • @Leigh: That does not change the fact that the redirect happens only after the user navigates to a PHP-backed URL. The OP wants the logout to happen exactly after 10 minutes have passed. – Jon Jul 09 '12 at 11:14
  • @Jon: I guess I misunderstood the question then. Of course the logout **does** happen when 10 minutes have passed, just that the user will not be informed until they navigate to a new page. – Leigh Jul 09 '12 at 11:16
  • @Leigh: No, it does not happen when 10 minutes have passed. If you allow 20 minutes to pass and then turn the server's clock back 15 minutes there will be no logout. – Jon Jul 09 '12 at 11:17
  • @Jon: Riiight, sorry I didn't cater for the possibility someone would change the time on the server. By the way, with your solution I could just turn off the javascript. – Leigh Jul 09 '12 at 11:19
  • @Leigh: That was a logical argument to show that logout has *not happened*, since if it had you would not be able to "unhappen" it even by turning back the clock. – Jon Jul 09 '12 at 11:23
  • Just had a thought. Assuming the user will NOT turn off the JavaScript. Is there anything fundamentally wrong with having a function on every page that just refreshes the logout page after 10 minutes or something? – aadu Jul 09 '12 at 11:31
  • @AzzyDude: No. That's what my example code does. – Jon Jul 09 '12 at 11:44
  • @Leigh: Personally I wouldn't redirect the user out of his current page for no reason, unless I have warned him beforehand. What if he was viewing some information that he wanted to copy or read later - when he gets back to his computer he will find his page navigated away. If you want to go for a JS solution make a call to the logout page with AJAX or inside a hidden iframe. – Alexander Ivanov Jul 09 '12 at 12:21
0

You can do it by subtrcting the current time say time(); to the time you want. try this link.

How do I expire a PHP session after 30 minutes?

Community
  • 1
  • 1
Avinash
  • 1,935
  • 7
  • 29
  • 55
0

I've got an idea that I tested and it works on my server setup - it uses linux calls to set up a delayed removal of the session file. This is purely server-side and kills the session exactly when it should. You must have permissions to run shell commands though.

$inactive = 600;

# if there is a delayed removal - cancel it
if (isset($_SESSION['pid'])) shell_exec('kill -9 '.$_SESSION['pid']);

# compose path to session file
$sesspath = session_save_path().'/sess_'.session_id();

# set up a delayed removal to destroy the session after $inactive seconds and
# get its PID
#
# you can put whatever command you like inside the single quotes (call a logout
# php script perhaps?)
$_SESSION['pid'] = shell_exec("nohup sh -c 'sleep $inactive && rm $sesspath' > /dev/null & echo $!");
Alexander Ivanov
  • 717
  • 4
  • 16
0

I'd include a meta refresh in the header of the page, and check how long it's been since the page was output. Some simple server side logic can accomplish that.

harryd
  • 9
  • 1