Well, that would be better handled by Cookies and having an expire time. But you can create a pseudo expire time by storing a timestamp as part of the session. Then just find out figure if the difference between the session timestamp and now is greater than the max login time. If so, unset the session (and [man]session_destroy[/man]) and inform them they've been automatically logged out.
<?php
if((60*60)>($_SESSION['time']-strtotime("now"))
{
// If the user has been logged in for over one hour
unset($_SESSION);
session_destroy();
die( 'You have been logged out for your security.' );
}
?>
Now, what you may be thinking is: Well, I want them to stay logged in for longer than an hour if they're actively using the site. That is answered by continually updating the $SESSION['time'] value each time the page is accessed.
<?php
session_start();
if((60*60)>($_SESSION['time']-strtotime("now"))
{
unset($_SESSION);
session_destroy();
die('You were logged out for your protection.');
}
else
{
// Update the time, so they're still logged in.
$_SESSION['time'] = strtotime("now");
}
?>
And you could always do the reverse, and create a timestamp of one hour in the future, and then compare if now is less than that timestamp, update. If not, it's time to log them out.
~Brett
