0

I have a MySQL table named 'session', when user logs in, IP is automatically recorded to that table so another person can not log in with same user, now I'm facing a problem, I want to destroy session automatically even if that user closes his browser and delete record from that table after inactivity of 5 min.

braaterAfrikaaner
  • 1,072
  • 10
  • 20
Ted Tandilashvili
  • 11
  • 3
  • 1
    IP != user, so this approach is flawed. it does not look like your using `$_SESSIONS` .. if not why not? –  Feb 26 '18 at 21:29
  • Apart from the IP != user problem: You can add an expire time to the session in you database. Update it every time there is 'activity'. And check it before any 'activity' to see if the session has expired. – KIKO Software Feb 26 '18 at 21:35
  • add a `lastactive` column in your sessions table and update it when he makes a request or if you are recording the requests then the time of the last request with this session token is the `lastactive` time. and you end the opened sessions when you handle the requests, if the `lastactive` time is old then end the session -I suggest `isEnded` column- . – Accountant م Feb 26 '18 at 21:48

1 Answers1

1

Firstly, it's important to realise that an IP address is not the same thing as a unique login. A user can very easily switch their IP around (or mask it), and you'll also want situations where people are using the same computer for different accounts.

What I would recommend is to have a traditional login system, and simply create a column called expiry that is automatically set to be 5 minutes after the user first logs in. This could also be updated upon the user performing various activities on the website if you want to extend this 5 minute grace period.

On each of the 'secure' user pages that require the user to be logged in, you can simply run a SELECT request against this column for the user that is logged in. If the timestamp in the database is found to be less than the current time, redirect the user to a forced logout page. If it is greater than the current time, the user is allowed to see the content on the page.

Here's a rough example:

date_default_timezone_set('YOUR ZONE');

$stmt = $con->prepare("SELECT `expiry` FROM users");
$stmt->execute();

$row = $stmt->fetch();
if($row['expiry'] >= NOW() ) {
    // Valid, show content
} else {
    header('Location: /logout.php');
}
Obsidian Age
  • 41,205
  • 10
  • 48
  • 71
  • Can you please clarify exactly how it didn't help you so that I can expand upon my answer? Are you having any difficulties? Are you getting any error messages, etc? Did you try it *exactly* as above? – Obsidian Age Feb 26 '18 at 23:22
  • It's kinda messy, when I put the code in my php, white screen shows up – Ted Tandilashvili Feb 27 '18 at 07:41
  • A pure white screen usually indicates a syntax or a parsing error, I'd recommend turning on error reporting as is discussed in [**this post**](https://stackoverflow.com/q/1475297/2341603). Let me know if you have further issues. – Obsidian Age Feb 27 '18 at 22:03