How to force a session timeout?

waxmop

After my users login, I create a session variable like this:

$_SESSION['logged_in'] = true;

And all subsequent pages, at the top of the page I do something like this:

<?php
if (!$_SESSION['logged_in']) {
header("Location: http://login.php");
}
?>

I realized that if one user logs in, but then forgets to go to the logout.php page where I do session_destroy(); then another user could hijack the account.

How do I write a test where if the user has been idle for a long time, then I automatically logout?

leatherback

Well, you could at each pageload store the current time in a session var, and upon each load check for the timedifference between last visit and now()

Absolutely not checked or anything. (My session knowledge is too meagre to code it straight from my head, and the now() only works in mysql, I think). But for generating an idea:

if((now() - $session['lastloadtime']) > 360)
  {
  session_destory;
  }
else
  {
  $lastloadtime = $now();
  }

axo

it's much easier to do that if you use mysql for the session and build your own 'garbage collector' ...

if not, try this:

$now = time();
$timeout = 30 // minutes
ini_set("session.gc_maxlifetime", $timeout * 60);
ini_set("session.cookie_lifetime", $now + $timeout * 60);
ini_set("session.cache_expire", $timeout);
session_name("mysession");
session_start();

perhaps it will be enough for you... 🙂