0

I'm trying to create a script which sets $_SESSION["reverify"] to TRUE when 20 minutes have passed without activity on their account (such as page clicks).

Explanation about the $_SESSION: When $_SESSION["reverify"] is set to TRUE, the user has to reverify him or herself.

I have tried this:

$expire_stamp = date('Y-m-d H:i:s', strtotime("+20 min"));
$now_stamp    = date("Y-m-d H:i:s");

if($now_stamp == $expire_stamp) {
    $_SESSION["reverify"] == true;
}

But it's not a good script at all, and has so many downsides. Am I overthinking, or just being a noob? I can't get this right.

if (isset($_SESSION['loggedin_time']) && (time() - $_SESSION['loggedin_time'] > 120)) {
    $_SESSION["reverify"] = true;
}

if(isset($_SESSION["reverify"]) && $_SESSION["reverify"] = true) {
    header("Location: index.php?reverify=true");
}
J. Doe
  • 503
  • 1
  • 6
  • 19
  • 1
    You have a syntax error in your expression checking if `$_SESSION["reverify"]` is true or not. You have an assignment statement, you need to change it to: `$_SESSION["reverify"] == true`. I know this doesn't solve your issue, but just thought i'd point it out :) – kunruh May 29 '16 at 19:25

1 Answers1

0

Session timeout with session properties is not so good idea. The problem you are looking to crack has very good explaination at this link here.

This is answer to another question at stack overflow and is a good read

Hope this helps

<?php

function session_timeout_extend($minutes_to_extend){
    session_start();
    $timeInseconds = time() + $minutes_to_extend*60; 
    $_SESSION['last_time_allowed']   =   $timeInseconds;
}

session_start();

if(!isset($_SESSION['last_time_allowed'])){
   session_timeout_extend(20);

    echo 'setting session';
    die();
}

if(time() >= $_SESSION['last_time_allowed']){
    echo 'session expired';
}
else{
  echo 'session active';
}
?>

Please see the code above works . You can test with this code, and thereafter integrate it in your workflow. Please see that this method though will not work after 19 January 2038 refered to as Y2k38 bug.

You can simply call the method updated above to user verification code block.

Community
  • 1
  • 1
Aditya
  • 861
  • 5
  • 8
  • Hi Aditya, I'm still testing this code: `if (isset($_SESSION['loggedin_time']) && (time() - $_SESSION['loggedin_time'] > 120)) {` but it doesn't seem to work. I have set everything right. Not sure why it's not working.. – J. Doe May 29 '16 at 18:54
  • did you check the units. Can you please post both values.. loggedin time and time() at any moment – Aditya May 29 '16 at 18:58
  • Please see, that I have updated my anwer above with some working code example. You can test this as it is, and thereafter integrate the same in your workflow. – Aditya May 29 '16 at 19:11
  • Thanks for that, works great. Can you explain why you used `die()` if last_time_allowed isn't set? – J. Doe May 29 '16 at 19:24
  • Oh. It was just like that. So that one can be sure of that session was set only once while printing the message 'setting session'. Not really you need that. Cheers. Happy coding. – Aditya May 29 '16 at 19:33
  • 1
    I'm sorry Aditya, but I have a last and final question. How can I reset this? If the user has verified themselves, how can I reset the script? – J. Doe May 29 '16 at 20:02
  • No worries J.Doe. Keep asking. we love to answer. Ok so whats the verifiy code? can you post that so I can patch a fix for this in that.. or let me post my own solution. – Aditya May 29 '16 at 20:05
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/113266/discussion-between-aditya-and-j-doe). – Aditya May 29 '16 at 20:11