1

I'm developing a web app with PHP. The requirement is that the user has to login into the website. I'm using session variables for this. The session should expire after 10 minutes of inactivity and the browser have to forward to the login page. At the moment I'm not sure if I can solve it with the following php functions:

session_cache_limiter('public');
session_cache_expire(10); //should expire after 10 minutes inactivity

But I'm not sure if this expires the session after 10 minutes inactivity. I guess it will expire in general after 10 minutes. If it does it, how can I call an session exit handler?

The other way is to log the current time at each activty. How can I log touch events in Chrome? Is this possible? Without touch event logging it makes no sense.

Irgendw Pointer
  • 1,770
  • 3
  • 30
  • 67
  • http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes – DarkBee Aug 20 '14 at 10:40
  • 3
    A very easy way to handle this, is to set a variable to `$_SESSION` every time the user visits the page after a successful login. You can check that variable every time the page loads, and then you will know the last time they requested a page from the site, and can compare it to the current time to determine what to do from there. – serakfalcon Aug 20 '14 at 10:42
  • But what if the user do not reload the page and stays there for 10 minutes filling out a form? The user will interact with the website and therefore I have to log the touch events, otherwise I don't know if the site is inactive or not. How can I log touch events in Google Chrome? – Irgendw Pointer Aug 20 '14 at 10:43
  • The better question is, how often do you want to be sending information to the server? Obviously the server will have no way to know how long the user keeps the client open. What I have done, is use a debouncer in JS that is reset every time the user does something, that will reload the page & request a log out if it times out, then I have the PHP only timeout set to go off 1.5x the JS logout time, so that gives some wiggle room to the client. – serakfalcon Aug 20 '14 at 11:03

1 Answers1

0

As per @serakfalcon's suggestion, manage the last-request time in the session itself. To log the user out* at the front end after inactivity you will need to use some Javascript. Javascript isn't my strongest skill, but we've used something like this:

<script type="text/javascript">
    setTimeout(function(){
        window.location = '/loginpage';
    }, 600000);
</script>

Just remember that if you're using any AJAX that you'll probably want to have the timer reset when the request is made/completed. All that this does is start a counter for 10 minutes that will then redirect the user to the /loginpage URI. Obviously browsing away (ie remaining active) will prevent the redirect

* Not actually log them out, but rather redirect the user to the login page when the session has already expired at the server. It would be wise to make the JS redirect a few seconds at least longer than the PHP session expiry so that you don't accidentally renew the session with the call here

Engineer81
  • 1,004
  • 1
  • 11
  • 26
  • Javascript CAN be disabled. If there's a session already set and it's not destroyed after 10 minutes, won't this just redirect back to the logged in area? – iswinky Aug 20 '14 at 11:05
  • You can't really do anything about users with JS disabled (though they are few and far between). If you also have the server-side solution then disabling JS will just mean that you can remain on the current page indefinitely, but as soon as you try to navigate elsewhere you will have no session. You could put some login in `/loginpage` that will redirect you elsewhere if your session is actually still valid – Engineer81 Aug 20 '14 at 11:07
  • I would recommend against trying to redirect to a `/logout` page, by the way. If the user has multiple tabs open then you would be logging them out even if they actually have an active session, in case anyone thinks of that. Our client suggested it but we demonstrated why it's a bad idea and they agreed – Engineer81 Aug 20 '14 at 11:08