PHP Session timeout
Solution 1
first, store the last time the user made a request
<?php
$_SESSION['timeout'] = time();
?>
in subsequent request, check how long ago they made their previous request (10 minutes in this example)
<?php
if ($_SESSION['timeout'] + 10 * 60 < time()) {
// session timed out
} else {
// session ok
}
?>
Solution 2
When the session expires the data is no longer present, so something like
if (!isset($_SESSION['id'])) {
header("Location: destination.php");
exit;
}
will redirect whenever the session is no longer active.
You can set how long the session cookie is alive using session.cookie_lifetime
ini_set("session.cookie_lifetime","3600"); //an hour
EDIT: If you are timing sessions out due to security concern (instead of convenience,) use the accepted answer, as the comments below show, this is controlled by the client and thus not secure. I never thought of this as a security measure.
Solution 3
<script type="text/javascript">
window.setTimeout("location=('timeout_session.htm');",900000);
</script>
In the header of every page has been working for me during site tests(the site is not yet in production). The HTML page it falls to ends the session and just informs the user of the need to log in again. This seems an easier way than playing with PHP logic. I'd love some comments on the idea. Any traps I havent seen in it ?
Solution 4
<?php
session_start();
if (time()<$_SESSION['time']+10){
$_SESSION['time'] = time();
echo "welcome old user";
}
else{
session_destroy();
session_start();
$_SESSION['time'] = time();
echo "welcome new user";
}
?>
Solution 5
Byterbit solution is problematic because:
- having the client control expiration of a server side cookie is a security issue.
- if expiration timeout set on server side is smaller than the timeout set on client side, the page would not reflect the actual state of the cookie.
- even if for the sake of comfort in development stage, this is a problem because it won't reflect the right behaviour (in timing) on release stage.
for cookies, setting expiration via session.cookie_lifetime is the right solution design-wise and security-wise! for expiring the session, you can use session.gc_maxlifetime.
expiring the cookies by calling session_destroy might yield unpredictable results because they might have already been expired.
making the change in php.ini is also a valid solution but it makes the expiration global for the entire domain which might not be what you really want - some pages might choose to keep some cookies more than others.
Related videos on Youtube
user342391
Updated on March 26, 2020Comments
-
user342391 about 4 years
I am creating a session when a user logs in like so:
$_SESSION['id'] = $id;
How can I specify a timeout on that session of X minutes and then have it perform a function or a page redirect once it has reached X minutes??
EDIT: I forgot to mention that I need the session to timeout due to inactivity.
-
Kzqai about 12 yearspossible duplicate of How do I expire a PHP session after 30 minutes?
-
-
Victor Stanciu almost 14 yearsyou have to remove the quotes around $_SESSION['id']
-
nagates almost 13 yearsEven though your not the voted answer, your solution seems more secure, my question is this, would you have to set that session timeout on each page? I suppose that would make sense as you would want it to restart each time? Secondly do you have to do session_start for each page to get at session data, or just once to kick it off? Thanks
-
Jacco almost 13 yearsThere are some issues with the session cookie lifetime, most notably, it relies on the client to enforce it. The cookie lifetime is there to allow the client to clean up useless/expired cookies, it is not to be confused with anything security related.
-
mark over 12 years@jacco: I'm seconding this, downvote. This is just security through obscurity.
-
Olhovsky almost 12 yearsBut the session can timeout before that, if the default session timeout in your PHPINI is shorter than the time you chose. The timeout is often less than an hour by default. If you dont want the client to control the timeout, you need to combine this code with an ini_set of session.cookie_lifetime. This answer also does not handle the case where a client deletes their cookies.
-
Olhovsky almost 12 yearsThis answer should be combined with Jacco's answer, to have a complete solution. Jacco's answer does not allow you to modify sessions to be longer than the default, and does not handle the case where a client deletes their cookies.
-
Jacco over 11 yearsPHP default is '0' which means: "Until the browser is closed". If the browser deletes the cookie, the
$_SESSION['timeout']
var will not be set in the first place. However, I skipped all the other things session management because this question asks about timeout only. -
Ligemer about 11 yearsI agree with Olhovsky. THIS was the correct answer that I was looking for: the ini_set value to expire the session lifetime.
-
David Bradbury about 11 yearsJust Googling the first answer you come across and pasting it into Stack Overflow isn't conducive to the point of this site. Moreover, session_cache_expire() has nothing to do with the length of your session so the answer you pasted in has incorrect information.
-
TD_Nijboer over 10 years"Session.cookie_lifetime" specifies the lifetime of the client/browser cookie. if you want to set the serverside lifetime use "session.gc_maxlifetime". php.net/manual/en/…
-
Rias about 9 yearsMake sure to comment your answer and explain where and how you are adding the timeout.
-
Alex G over 7 yearsIf you have multiple tabs opened with the same site, you must refresh them all to create an activity, otherwise if you keep working in 1 tab, others will show "timeout_session.htm" after timeout. Very frustrating, especially if "timeout_session.htm" is unsetting/destroying session . =)
-
LF00 over 7 years@DavidBradbury By default the cookie store the session_id, if cookie expires, the session_id cannot accessed when the client requesting.