6

I have created a script login.php and there I have created a session variable named logged_in

$_SESSION['logged_in'] = true;

I am unable to figure out a way to redirect to redirect to my logout.php after session expires due to inactivity. Also should I put the code that expire this session variable. I have Googled the bug and what it suggest is to tweak php.ini file in most of the articles. However I came across an article saying that it is not the best practice.

I found the following code on StackOverflow, yet I have no idea where to put it:-

<?php
  if ($_SESSION['timeout'] + 10 * 60 < time()) {
     // session timed out
  } else {
     // session ok
  }
?>

I would like to know the best way to redirect after session expire and suggestions for where to put the code.

Edit: I forgot to mention that I want to know how to manually set a time for the session to expire.

Thank you in advance

Sidharth Shah
  • 1,569
  • 1
  • 11
  • 14
surfine
  • 61
  • 1
  • 1
  • 3

2 Answers2

14

If you want to logout the user if they try to load a page when they've been inactive for too long, you should put this code at the top of every php file (before ANY other html tags):

if( $_SESSION['last_activity'] < time()-$_SESSION['expire_time'] ) { //have we expired?
    //redirect to logout.php
    header('Location: http://yoursite.com/logout.php'); //change yoursite.com to the name of you site!!
} else{ //if we haven't expired:
    $_SESSION['last_activity'] = time(); //this was the moment of last activity.
}

Also, put this code at the top of the page where you land when you've successfully logged in:

$_SESSION['logged_in'] = true; //set you've logged in
$_SESSION['last_activity'] = time(); //your last activity was now, having logged in.
$_SESSION['expire_time'] = 3*60*60; //expire time in seconds: three hours (you must change this)

On that page you don't have to include the checking code I gave you first.

By the way, don't forget to add <?php tags correctly!

tomsmeding
  • 916
  • 7
  • 25
  • should session_start be included in all the pages? – surfine Mar 24 '13 at 07:56
  • @surfine What do you mean exactly by `session_start`? The code `$_SESSION['logged_in'] = true;`? You should put that on the login landing page. I've edited my answer. – tomsmeding Mar 24 '13 at 07:58
  • This works for me, but the page I go to after logging in is my applications home page, and if you wait for the timer/session to expire on a page that isn't the home page, then click a link to the homepage the session continues. How can I make linking back to the homepage when the session is expired log the user out as well? – AlMar89 Sep 17 '15 at 17:02
  • @AlMar89 php is not my specialty, really :P I suggest you open a new question, possibly referencing this answer. Sorry! – tomsmeding Sep 17 '15 at 17:15
  • 1
    Disregard the above comment. I figured it out. All I needed to do was have my login page link to a redirect page that has your second block of code and redirects to the homepage. Then I just had to implement your first block of code on the homepage as well. Thanks – AlMar89 Sep 17 '15 at 17:15
  • 1
    @AlMar89 Great you solved it! – tomsmeding Sep 17 '15 at 17:16
1

Implement this idea: 

$expire_time = 3*60*60; //expire time
if( $_SESSION['last_activity'] < time()-$expire_time ) {
    echo 'session expired';
    die();
}
else {
    $_SESSION['last_activity'] = time(); // you have to add this line when logged in also;
    echo 'you are uptodate';
}