0

I'm trying to kill session after 30 seconds (testing) but it just doesn't work. I don't understand why. I've followed relevant topic here on SO and tried to implement suggested solutions but it didn't work so please don't give me crap about duplicates.

this is my code:

session_start();
$_SESSION['email'] = $email;
$userID = $row['userID'];
$_SESSION['userID'] = $userID;
$_SESSION['timeout'] = time();

and in session.php I've got:

   if(isset($_SESSION['timeout']) && (time() - $_SESSION['timeout']) > 30) {
        header("Location: loggedoutDisplay.php");
        exit();
    }
    $_SESSION['timeout'] = time();

Providing more code:

if($result = mysqli_query($link,$query)) {
                while($row = mysqli_fetch_assoc($result)) {

                    session_start();
                    $_SESSION['email'] = $email;
                    $userID = $row['userID'];
                    $_SESSION['userID'] = $userID;
                    $_SESSION['timeout'] = time();
                    header("Location: updatePage.php");
                }
            }

Here I'm starting session after user being successfully identified and redirected to updatePage.php where I need to session to end after 30 seconds.

Marky Mark
  • 103
  • 2
  • 12
  • "please don't give me crap about duplicates". Please don't be rude to people trying to help you. – ADyson Sep 22 '17 at 10:24
  • anyway, what does "doesn't work" mean exactly? Does it go to loggedoutdisplay.php ever? what happens when you go to loggedoutdisplay.php? There's no code in this example which would end the session or remove any data from it. somewhere, in the relevant place, you need to be calling session_destroy(). – ADyson Sep 22 '17 at 10:25
  • Well ... it doesn't go to loggedoutDisplay.php at all. It's as if being ignored. – Marky Mark Sep 22 '17 at 10:26
  • so, verify the values given by time() and $_SESSION['timeout'] in the case when you think it should be working. Are they what you expected? – ADyson Sep 22 '17 at 10:27
  • Is there anything else I need to check ? – Marky Mark Sep 22 '17 at 10:27
  • By "verify the values given by time() and $_SESSION['timeout']" you mean print it out and see what the output is. Correct ? – Marky Mark Sep 22 '17 at 10:29
  • yes that's right. you can just use the echo statement. or if you've got an IDE that supports live debugging you can set breakpoints and examine them. – ADyson Sep 22 '17 at 10:30
  • There is a good explanation in this answer : https://stackoverflow.com/a/1270960/1643261 – Rey0bs Sep 22 '17 at 10:31
  • @sboye the code sample in there is pretty much identical to what OP has got, apart from the amount of time. So what's your point? – ADyson Sep 22 '17 at 10:32
  • @ADyson I don't know what content is in loggedoutDisplay.php file – Rey0bs Sep 22 '17 at 10:35
  • @ADyson Looks like I've got values from those session variables wrong. The output is identical for both and it's 1506076583 which appears to me more like number of seconds from the beginning of unix time. I thought time() gives you, well, current time. – Marky Mark Sep 22 '17 at 10:38
  • @sboye neither do I, but I fail to see how the link you posted is relevant to that fact. OP is already using the code in the style suggested there in the example code shown above, and is stating that loggedoutDisplay.php is not being visited, so the problem is happening before that. – ADyson Sep 22 '17 at 10:39
  • @MarkyMark It seems you execute `$_SESSION['timeout'] = time();` in all executions. So your session will never expire – Rey0bs Sep 22 '17 at 10:39
  • @MarkyMark does `session_start(); $_SESSION['email'] = $email; $userID = $row['userID']; $_SESSION['userID'] = $userID; $_SESSION['timeout'] = time();` run before your `if` statement? If it does, then yes sboye is right and you always reset the timeout before you test it. The part `$_SESSION['email'] = $email; $userID = $row['userID']; $_SESSION['userID'] = $userID; $_SESSION['timeout'] = time();` should only run when the user first logs in, not for subsequent requests, until they log in again. – ADyson Sep 22 '17 at 10:40
  • loggedoutDisplay.php contains only `session_unset();` and `session.destroy();` and html that informs user about being successfully logged out. – Marky Mark Sep 22 '17 at 10:41
  • @MarkyMark When do you call session.php ? – Rey0bs Sep 22 '17 at 10:42
  • `session.php` is being included on the top of each page. – Marky Mark Sep 22 '17 at 10:50
  • @sboye "MarkyMark It seems you execute $_SESSION['timeout'] = time(); in all executions. So your session will never expire" I'll take it off and will see. – Marky Mark Sep 22 '17 at 10:51

5 Answers5

0

see the documentation session_destroy http://php.net/manual/en/function.session-destroy.php

Stranger
  • 134
  • 6
0

I don't see you calling session_destroy(); anywhere:

http://php.net/manual/en/function.session-destroy.php

delboy1978uk
  • 12,118
  • 2
  • 21
  • 39
  • `session_destroy();` is called when `loggedoutDisplay.php` is loaded. Sorry I should've mentioned that. – Marky Mark Sep 22 '17 at 10:31
  • @MarkyMark it would be safer to call session_destroy() before you redirect to that page, in case the redirect fails or is not honoured by the client (setting that header is merely an instruction to the client to visit that page next, not an absolute command, you can't guarantee it will be carried out). Then you're certain that the session is dead. – ADyson Sep 22 '17 at 10:42
0

you can use session_destroy() for destroy your current session

Bhargav Chudasama
  • 6,928
  • 5
  • 21
  • 39
0

session_unset() unsets $_SESSION variable for the run-time.

session_destroy() destroys session data in storage.

Rey0bs
  • 1,192
  • 12
  • 19
0
 session_start();

 $timeout = 30; // Number of seconds until it times out.

 if(isset($_SESSION['timeout'])) {

 // Get the difference between current time and the time the session was created
 $duration = time() - (int)$_SESSION['timeout'];

 if($duration > $timeout) { // If the difference is greater than 30s

 // Destroy the session
 session_unset();
 session_destroy();

 header("Location: loggedoutDisplay.php");
 exit();    

     }

}
hans-könig
  • 553
  • 8
  • 10