How to end a session on timeout

Orka_Ping

I use sessions to restrict access to my admin area. Now I'd very much like to learn a good way to limit the session's lifespan. My sessions die only when all browser windows are closed. The ideal solution would be the one with a session that is timed out after a given number of minutes of inactivity.
Anyone?

paul088

use session_set_cookie_params (), or setcookie () to set expiration time. Read php manual on php.net for details.

KendersPlace

I have been looking for an answer to this same question. I am a long time ASP developer on windows platforms, but I am now getting into PHP projects on Linux. With windows (ASP) it was easy to set the session timeout in IIS.

Here's an idea of how I plan to deal with this problem:

Do your normal login / auth page and set the "$user_is_logged_in" or whatever in the session.
Set a second session variable "$last_access_time". Put the current unix time stamp using the php time functions into this session variable.
On every page the user will access, do the following:
Check if the session already exists, or if user is already logged in. If not - distroy the session and redirect back to login page.
Get the current unix time stamp from the server, and also get the time stamp from "$last_access_time" from the session. Compare the two. If ($curr_time - $last_access_time) is greater than say, 15 minutes => distroy the session and spit the user back to the login page.
-If the times are within 15 minutes of eachother, update $last_access_time with the current time stamp, and let the user proceed.

This should basically do the same thing IIS does with sessions. If the user has sat idle for more than the given time limit, their session will still exists, and will still be valid, however, the next time they try to access a page, the script will discover this idle time and force the user to log in again.

How does that idea sound? That's how I think I'll deal with this problem. Hope that helps.

-K