How do I implement an automatic session destroy and redirect after a certain inactivity period (Securely!)

Question

What I mean by securely is the user doesn't need to refresh the page for the session to be destroyed. Simply idling should redirect and destroy the session. This is similar to this, which I've already implemented the code from. However, it requires the user to refresh the page or some javascript/jquery to refresh it for them. However, isn't that not secure as anyone can change the javascript running on their browser client? This is my current code:

<?php
require('config.php');
session_start();

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 10)) {
    // last request was more than 30 minutes ago
    unset($_SESSION);
    session_destroy();
    header('LOCATION: login.php');
    session_write_close();
    exit;
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp

if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 10) {
    // session started more than 30 minutes ago
    session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
    $_SESSION['CREATED'] = time(); // update creation time
}


if (isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {

    //Do my stuff and show the data to be secured

} else {
    echo "Forbidden";
    exit;
}

?>

When you say "security" what exact attack vector are you protecting against? — zerkms, Apr 29 '18 at 03:13
@zerkms A lot of modern websites will automatically close your session and redirect you after a period of inactivity. Currently, my webpage, if left untouched, will always be displaying vulnerable info (until a refresh). However, forcing a refresh seems to always use html or js, which can be edited client-side, so the vulnerable data is never removed from the screen. I hope that clarifies my question. If it doesn't just let me know. — Mini, Apr 29 '18 at 03:16
It does not: "A lot of modern websites will automatically close your session and redirect you after a period" --- so what? What problem do **you** solve? What's a problem with a session that outlives the 30 minutes limit? "so the vulnerable data is never removed from the screen" --- if you served something to the client you don't have control over it. — zerkms, Apr 29 '18 at 03:43

How do I implement an automatic session destroy and redirect after a certain inactivity period (Securely!)

0 Answers0