PHP inactivity timeout and session_status()

Question

I'm trying to do some protective stuff to prevent pages from accessing databases when a php page has been idle and the session has expired because of inactivity. I'm basing some of it on session_status() and am having issues with that.

Using alerts and console.log, I find the php and js code seems to be ok. When I artificially inject session_status() values, I get the results I expect.

The problem seems to be that session_start() always returns 2 (available) even after the session has timed out.

Should I not expect system_status to be updated automatically after inactivity timeouts? Is there a better way than session_status() to check for session status?

Here is the 'onclick' function that returns '2' for system_status() on an expired page when the button is clicked:

$("#save-to-database").click(function () {

    var active = <?php echo session_status(); ?>;

    if(active == 2) {  //the session is active, do the sort & save

       saveStuff();

    } else {  // the login has expired, abandon this and reload index.php

        window.location.replace("index.php?artist=" + <?php echo $artist ?>);

    }
});

`session_status` isn't helpful here. If a session times out due to inactivity (expires) and the user reloads a page and it calls `session_start()`, it will just start a new, fresh session, and then calling session_status() will tell you that it's active. Active and "logged in" are unrelated. — drew010, Jan 30 '18 at 21:56
[session_status()](http://php.net/session_status) is to check IF a session is disabled, enabled but none exists, or active. [session_start()](http://php.net/session_start) is to _create_ or _resume_ an existing session. So yes, it's supposed to always return 2 — icecub, Jan 30 '18 at 21:57
I'd almost mark this as a duplicate for you: https://stackoverflow.com/questions/8311320/how-to-change-the-session-timeout-in-php You can learn a lot from the answer to that question _including_ how to properly deal with a session timeout. — icecub, Jan 30 '18 at 22:02
@drew010 - yes, I understand that when you call a page the session_start will make it available. The testcase I'm trying (and failing with) is to leave a page idle until the session expires and then click a button. The onclick function checks the session_status without a page load, and the session status still reports active. I'll add the onclick function code to the question above in a minute. — Mcbeese, Jan 30 '18 at 22:15
@icecub - I don't understand your comment. I'm on a page that has expired. I click a button without reloading the page and that button checks session_status() ... and says it's active. I'm trying to find the simplest way to protect against button actions that should not occur if a session has expired, and I thought session_status would be ideal that catch those cases. — Mcbeese, Jan 30 '18 at 22:20
onclick is client side, session_status is server side. You can't check it without a page load and invoking PHP. And even in that case, it's not what you want. Sounds like you need a Ajax call that runs code to start the session and use your application's logic for determining if that session is still "logged in" or not. — drew010, Jan 30 '18 at 22:33
Agreed. I have that and it works ok. I was hoping that session_status() might be useful as a streamlined version of self-management. Cheers. — Mcbeese, Jan 30 '18 at 23:55

score 1 · Accepted Answer · answered Jan 30 '18 at 22:35

1

This a long way to go about this but this works fine.

function isSessionActive() {
    session_start();
    $lastActivity=$_SESSION['lastActivity'];
    if ($lastActivity!=null && ($lastActivity+(10*60) > time())) {
        $_SESSION['lastActivity']=time();
        return true;    
    } else {
        deleteSession();
        return false;
    }
}

function deleteSession() {
    session_start();
    setcookie("PHPSESSID", "", time() - 3600, '/');
    session_unset();
    session_destroy();
}

answered Jan 30 '18 at 22:35

Bobby Axe

1,491
13
29

Yes, agree that works fine. I have a working solution almost the same as that but I got excited by the thought of a one-line PHP call that would deal with it. I'll go back to using self-managed timers instead of a php session call. Thanks for confirming. – Mcbeese Jan 31 '18 at 00:12

PHP inactivity timeout and session_status()

1 Answers1