PHP - make session expire after X minutes

php session session-timeout

22,028

Solution 1

Store a timestamp in the session:

<?php    
$uzer = $_POST['user_name'];
$pass = $_POST['user_pass'];

require ('DB_connection.php');

// Hey, always escape input if necessary!
$result = mysql_query(sprintf("SELECT * FROM accounts WHERE user_Name='%s' AND user_Pass='%s'", mysql_real_escape_string($uzer), mysql_real_escape_string($pass));

if( mysql_num_rows( $result ) > 0)
{
    $array = mysql_fetch_assoc($result);    

    session_start();
    $_SESSION['user_id'] = $uzer;
    $_SESSION['login_time'] = time();
    header("Location:loggedin.php");            
}
else
{
    header("Location:login.php");
}
?>

Check if the timestamp is within the allowed time window (600 seconds is 10 minutes):

<?php
session_start();
if( !isset( $_SESSION['user_id'] ) || time() - $_SESSION['login_time'] > 600)
{
    header("Location:login.php");
}
else
{
    // uncomment the next line to refresh the session, so it will expire after ten minutes of inactivity, and not 10 minutes after login
    //$_SESSION['login_time'] = time();
    echo ( "this session is ". $_SESSION['user_id'] );
    //show rest of the page and all
}
?>

Solution 2

I would look at session_set_cookie_params and ini_set("session.gc_maxlifetime", "18000");

Solution 3

Use session set cookie function in your php file where you will start session, it will expire after as per define x minutes.

session_set_cookie_params(600);

As per above after 10 minutes session is expire.

22,028

Moon

Updated on June 01, 2021

Comments

Moon almost 3 years
i am using the following technique...

From the login.php the form posts to the page check.php where i do this
```
<?php    
$uzer = $_POST['user_name'];
$pass = $_POST['user_pass'];

require ('DB_connection.php');

$result = mysql_query("SELECT * FROM accounts WHERE user_Name='$uzer' AND user_Pass='$pass'");

if( mysql_num_rows( $result ) > 0)
{
    $array = mysql_fetch_assoc($result);    

    session_start();
    $_SESSION['user_id'] = $uzer;
    header("Location:loggedin.php");            
}
else
{
    header("Location:login.php");
}
?>
```
and on loggedin.php page the first thing i do is
```
<?php
session_start();
if( !isset( $_SESSION['user_id'] ) )
{
    header("Location:login.php");
}
else
{
    echo ( "this session is ". $_SESSION['user_id'] );
    //show rest of the page and all
}
?>
```
but once logged in when i directly type the url localhost\myProject\loggedin.php it displays the page...which makes perfect sense because the session has started

what i want to implement is
- The direct URL \ session works for 10 minutes after that the session is terminated\expired\timed out and then use must login again and may get the same session id but after 10 minutes use won't be able to browse with the same session
WHAT DO I NEED TO DO OR LEARN
- Gumbo over 13 years
  
  See How do I expire a PHP session after 30 minutes?
Moon over 13 years

its just that there is > inplace of <
Lekensteyn over 13 years

Corrected. To avoid session fixation, you may want to add session_regenerate_id(false);session_destroy();session_start‌(); after session_start();
Jim over 13 years

gc_maxlifetime is the garbage collector and does not have anything to do with the actual sessions lifetime. Just when it gets moved to the trash. The session_set_cookie_params is correct, however.
Nathan over 12 years

Will this be 10 minutes of no activity or just 10 minutes? I'm trying to use this to make them get logged out if they aren't active for 30 minutes, but I don't know how to...
Lekensteyn over 12 years

This expires after exact 10 minutes after login. If you wish to expire the session after 10 minutes, read the comments in the second code block and uncomment the right line.
Marriott81 about 10 years

I know this is a very old post, but i clicked your link today on april 1st and its spinning. ouch