-1

I have a user login which is only valid for 1 hour. I mean the user can login to the system and he can keep doing his works. I am not gonna check the inactive time. I start the calculation from the very beginning of the process where user successfully logged in.Whatever the user doing, I will cache the actions and destroy the session and direct to the log in section for each and every 1 hour after the log in.

When user successfully logged in, i set the timestamp to a $_SESSION variable in following manner. $_SESSION['key_set_time'] = time();.

The following is the SESSION DESTROY code.

$_SESSION['key_set_time'] = time();
$session_duration = 3600;
$current_time = time();
if(((time() - $_SESSION['key_set_time']) > $session_duration)){
    session_destroy();
}else{
    header('LOCATION:/login.php');
}

While debugging I found out that $_SESSION['key_set_time'] = time(); sets the current time in each every page reload.It replaces the time when the user logged in.So I am unable to DESTROY the session. How can I prevent the replacing the time in every page reload? ( This process has to be done in the BACKEND ITSELF. This noob note is because of a stackoverflow answer which is to destroy the SESSION MANUALLY.)

Ramesh
  • 2,297
  • 2
  • 20
  • 42
  • 1
    $_SESSION['key_set_time'] = empty($_SESSION['key_set_time'] ) ? time() : $_SESSION['key_set_time']; – Parth Shah Jul 17 '18 at 05:02
  • May be [this](https://stackoverflow.com/questions/3948230/best-way-to-completely-destroy-a-session-even-if-the-browser-is-not-closed) helps – Empty Brain Jul 17 '18 at 05:03
  • This sounds good. But still it's returning the current timestamp in page refresh. Is this is done by browser cookie? I have no idea how this is happening. – Ramesh Jul 17 '18 at 05:07
  • @EmptyBrain It didn't help. It resets the session in each and every reload. – Ramesh Jul 17 '18 at 05:16
  • put it in a function. call whenever you want to destroy. – Empty Brain Jul 17 '18 at 05:19
  • @EmptyBrain In my case I have to call it in the header. So it's definitely recalled when a page refreshed – Ramesh Jul 17 '18 at 05:31
  • Just somebody explain me is it possible to keep the old session value in each and every page reload. Because I was unable to find out any article about this issue. Every they mentioned about inactive time and blah blah.. – Ramesh Jul 17 '18 at 05:34
  • move `$_SESSION['key_set_time'] = time();` below at the bottom of your code. Also, call `session_unset()` in your if statement before `session_destroy()`. Also add a condition in if `isset($_SESSION['key_set_time'])` - worth a short – popeye Jul 17 '18 at 05:40
  • I'm not quite sure how to modify a cookie (like timeout) which is sent via PHP session - the PHPSESSID thingy – popeye Jul 17 '18 at 05:41
  • @kenzotenma How could it be possible to set the `$_SESSION['key_set_time'] = time();` at the end. Because my login form is a part of the header. It is displayed on each and every page. When user logged in i do something and if not there another process. Also my header and footer are separate php files. – Ramesh Jul 17 '18 at 05:44
  • by end I mean where your else statement ends – popeye Jul 17 '18 at 05:45
  • @kenzotenma I used `ini_set('session.gc_maxlifetime', 3600);` and `session_set_cookie_params(3600);` at the very beginning.Then only I realized it won't help all the time, sometimes it returns some bugs. – Ramesh Jul 17 '18 at 05:47
  • @kenzotenma That's how the current code exists. – Ramesh Jul 17 '18 at 05:48

1 Answers1

0
if (!isset($_SESSION['key_set_time'])) {
$_SESSION['key_set_time'] = time();
} else if (time() - $_SESSION['key_set_time'] > 3600) {
   // session started more than 1 hour ago
   session_regenerate_id(true);    // change session ID for the current session
   $_SESSION['key_set_time'] = time();  // update creation time
}

This should work for your case. let me know if it doesn't.

You can alter else if statement as per your needs

popeye
  • 481
  • 1
  • 4
  • 16