PHP - make session expire after X minutes

Question

i am using the following technique...

From the login.php the form posts to the page check.php where i do this

<?php    
$uzer = $_POST['user_name'];
$pass = $_POST['user_pass'];

require ('DB_connection.php');

$result = mysql_query("SELECT * FROM accounts WHERE user_Name='$uzer' AND user_Pass='$pass'");

if( mysql_num_rows( $result ) > 0)
{
    $array = mysql_fetch_assoc($result);    

    session_start();
    $_SESSION['user_id'] = $uzer;
    header("Location:loggedin.php");            
}
else
{
    header("Location:login.php");
}
?>

and on loggedin.php page the first thing i do is

<?php
session_start();
if( !isset( $_SESSION['user_id'] ) )
{
    header("Location:login.php");
}
else
{
    echo ( "this session is ". $_SESSION['user_id'] );
    //show rest of the page and all
}
?>

but once logged in when i directly type the url localhost\myProject\loggedin.php it displays the page...which makes perfect sense because the session has started

what i want to implement is

The direct URL \ session works for 10 minutes after that the session is terminated\expired\timed out and then use must login again and may get the same session id but after 10 minutes use won't be able to browse with the same session

WHAT DO I NEED TO DO OR LEARN

See [How do I expire a PHP session after 30 minutes?](http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes) — Gumbo, Sep 22 '10 at 15:10
I know this is a very old question, but this is a top result for several Session searches in Google. Anyone reading this should be aware that the code in the question is extremely insecure and susceptible to SQL injection. We wouldn't want any beginners Googling to pick up bad habits. :-) This question on SO should help if you want to learn more: http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — Woody Payne, Mar 20 '15 at 17:13

Lekensteyn · Accepted Answer · 2010-09-22T15:05:19.860

10

Store a timestamp in the session:

<?php    
$uzer = $_POST['user_name'];
$pass = $_POST['user_pass'];

require ('DB_connection.php');

// Hey, always escape input if necessary!
$result = mysql_query(sprintf("SELECT * FROM accounts WHERE user_Name='%s' AND user_Pass='%s'", mysql_real_escape_string($uzer), mysql_real_escape_string($pass));

if( mysql_num_rows( $result ) > 0)
{
    $array = mysql_fetch_assoc($result);    

    session_start();
    $_SESSION['user_id'] = $uzer;
    $_SESSION['login_time'] = time();
    header("Location:loggedin.php");            
}
else
{
    header("Location:login.php");
}
?>

Check if the timestamp is within the allowed time window (600 seconds is 10 minutes):

<?php
session_start();
if( !isset( $_SESSION['user_id'] ) || time() - $_SESSION['login_time'] > 600)
{
    header("Location:login.php");
}
else
{
    // uncomment the next line to refresh the session, so it will expire after ten minutes of inactivity, and not 10 minutes after login
    //$_SESSION['login_time'] = time();
    echo ( "this session is ". $_SESSION['user_id'] );
    //show rest of the page and all
}
?>

edited Sep 22 '10 at 15:05

answered Sep 22 '10 at 14:31

Lekensteyn

64,486
22
159
192

its just that there is `>` inplace of `<` – Moon Sep 22 '10 at 14:41
1

Corrected. To avoid session fixation, you may want to add `session_regenerate_id(false);session_destroy();session_start();` after session_start(); – Lekensteyn Sep 22 '10 at 15:07
Will this be 10 minutes of no activity or just 10 minutes? I'm trying to use this to make them get logged out if they aren't active for 30 minutes, but I don't know how to... – Nathan Oct 03 '11 at 15:58
This expires after exact 10 minutes after login. If you wish to expire the session after 10 minutes, read the comments in the second code block and uncomment the right line. – Lekensteyn Oct 03 '11 at 16:05

score 1 · Answer 2 · answered Sep 22 '10 at 14:31

1

I would look at session_set_cookie_params and ini_set("session.gc_maxlifetime", "18000");

answered Sep 22 '10 at 14:31

Kyle

1,978
1
18
30

`gc_maxlifetime` is the garbage collector and does not have anything to do with the actual sessions lifetime. Just when it gets moved to the trash. The `session_set_cookie_params` is correct, however. – Jim Sep 22 '10 at 15:17
I know this is a very old post, but i clicked your link today on april 1st and its spinning. ouch – Marriott81 Apr 01 '14 at 10:27

score 1 · Answer 3 · answered Jun 01 '21 at 09:49

1

Use session set cookie function in your php file where you will start session, it will expire after as per define x minutes.

session_set_cookie_params(600);

As per above after 10 minutes session is expire.

answered Jun 01 '21 at 09:49

Kishan Chauhan

1,216
1
12
19

PHP - make session expire after X minutes

3 Answers3

Linked