Drupal Session doesn't seem logical

Question

I'm using Drupal 6 for a program that does some e-payment work. Due to the fact that being logged in means that browser can access a users sensitive financial information I want to make sure it will timeout the session after an inactive period.

I tried using:

ini_set('session.cookie_lifetime',  600); //expire after 10 minutes of inactivity

However this logs the user out after 10 minutes regardless of whether they had any activity since login.

Is there a different setting to use or a way to modify this setting to make the session expire after inactivity rather than have a hard and fast lifetime length?

Answer 1

You need to implement your own solution there is no reliable way of doing it by just changing settings. If you need more info check out this answer How do I expire a PHP session after 30 minutes?

Taken from top answer in that question:

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp

Also you would want to set:

ini_set('session.cookie_lifetime',  0);

So that it never expires on it's own unless they close the browser.

Answer 2

Drupal lets users to stay logged in until they log out. This may not seem logical to you, but it makes a lot of sense to people writing large posts, or willing to resume writing after a pause: they may get disappointed, if after a long day's work they submit their post and get an error because their session has expired.

That said, you may review the Automated logout module, which seems likely to help you with your application's requirements.