PHP Session timeout

php session redirect login timeout

242,843

Solution 1

first, store the last time the user made a request

<?php
  $_SESSION['timeout'] = time();
?>

in subsequent request, check how long ago they made their previous request (10 minutes in this example)

<?php
  if ($_SESSION['timeout'] + 10 * 60 < time()) {
     // session timed out
  } else {
     // session ok
  }
?>

Solution 2

When the session expires the data is no longer present, so something like

if (!isset($_SESSION['id'])) {
    header("Location: destination.php");
    exit;
}

will redirect whenever the session is no longer active.

You can set how long the session cookie is alive using session.cookie_lifetime

ini_set("session.cookie_lifetime","3600"); //an hour

EDIT: If you are timing sessions out due to security concern (instead of convenience,) use the accepted answer, as the comments below show, this is controlled by the client and thus not secure. I never thought of this as a security measure.

Solution 3

<script type="text/javascript">
window.setTimeout("location=('timeout_session.htm');",900000);
</script>

In the header of every page has been working for me during site tests(the site is not yet in production). The HTML page it falls to ends the session and just informs the user of the need to log in again. This seems an easier way than playing with PHP logic. I'd love some comments on the idea. Any traps I havent seen in it ?

Solution 4

<?php 
session_start();

if (time()<$_SESSION['time']+10){
$_SESSION['time'] = time();
echo "welcome old user";
}

else{
session_destroy();
session_start();
$_SESSION['time'] = time();
echo "welcome new user";
}
?>

Solution 5

Byterbit solution is problematic because:

having the client control expiration of a server side cookie is a security issue.
if expiration timeout set on server side is smaller than the timeout set on client side, the page would not reflect the actual state of the cookie.
even if for the sake of comfort in development stage, this is a problem because it won't reflect the right behaviour (in timing) on release stage.

for cookies, setting expiration via session.cookie_lifetime is the right solution design-wise and security-wise! for expiring the session, you can use session.gc_maxlifetime.

expiring the cookies by calling session_destroy might yield unpredictable results because they might have already been expired.

making the change in php.ini is also a valid solution but it makes the expiration global for the entire domain which might not be what you really want - some pages might choose to keep some cookies more than others.

View more solutions

242,843

user342391

Updated on March 26, 2020

Comments

user342391 about 4 years
I am creating a session when a user logs in like so:
```
$_SESSION['id'] = $id;
```
How can I specify a timeout on that session of X minutes and then have it perform a function or a page redirect once it has reached X minutes??

EDIT: I forgot to mention that I need the session to timeout due to inactivity.
- Kzqai about 12 years
  
  possible duplicate of How do I expire a PHP session after 30 minutes?
Victor Stanciu almost 14 years

you have to remove the quotes around $_SESSION['id']
nagates almost 13 years

Even though your not the voted answer, your solution seems more secure, my question is this, would you have to set that session timeout on each page? I suppose that would make sense as you would want it to restart each time? Secondly do you have to do session_start for each page to get at session data, or just once to kick it off? Thanks
Jacco almost 13 years

There are some issues with the session cookie lifetime, most notably, it relies on the client to enforce it. The cookie lifetime is there to allow the client to clean up useless/expired cookies, it is not to be confused with anything security related.
mark over 12 years

@jacco: I'm seconding this, downvote. This is just security through obscurity.
Olhovsky almost 12 years

But the session can timeout before that, if the default session timeout in your PHPINI is shorter than the time you chose. The timeout is often less than an hour by default. If you dont want the client to control the timeout, you need to combine this code with an ini_set of session.cookie_lifetime. This answer also does not handle the case where a client deletes their cookies.
Olhovsky almost 12 years

This answer should be combined with Jacco's answer, to have a complete solution. Jacco's answer does not allow you to modify sessions to be longer than the default, and does not handle the case where a client deletes their cookies.
Jacco over 11 years

PHP default is '0' which means: "Until the browser is closed". If the browser deletes the cookie, the $_SESSION['timeout'] var will not be set in the first place. However, I skipped all the other things session management because this question asks about timeout only.
Ligemer about 11 years

I agree with Olhovsky. THIS was the correct answer that I was looking for: the ini_set value to expire the session lifetime.
David Bradbury about 11 years

Just Googling the first answer you come across and pasting it into Stack Overflow isn't conducive to the point of this site. Moreover, session_cache_expire() has nothing to do with the length of your session so the answer you pasted in has incorrect information.
TD_Nijboer over 10 years

"Session.cookie_lifetime" specifies the lifetime of the client/browser cookie. if you want to set the serverside lifetime use "session.gc_maxlifetime". php.net/manual/en/…
Rias about 9 years

Make sure to comment your answer and explain where and how you are adding the timeout.
Alex G over 7 years

If you have multiple tabs opened with the same site, you must refresh them all to create an activity, otherwise if you keep working in 1 tab, others will show "timeout_session.htm" after timeout. Very frustrating, especially if "timeout_session.htm" is unsetting/destroying session . =)
LF00 over 7 years

@DavidBradbury By default the cookie store the session_id, if cookie expires, the session_id cannot accessed when the client requesting.