[RESOLVED] How do you get sessions to automatically time out?

juronimo

I have an applications with sessions.

What happens is the following

User logs in
Session starts
Session ID is assigned, scrambled wiht MD5() and save in database

On manual logout this happens
1. Logout class is instatiated
2. Session is destroyed
3. Session ID in DB is set to empty string in DB
4. User is redirected

I also use ini_set() to set the time out to one hour.

How do you get the logout script to execute automatically after the session times out? Basically if there is no activity after one hour, I want to redirect the user to the logout page where the script executes.

bradgrafelman

I would say add a variable to your session and whenever they load a page, update it with the current [man]time/man.

That way, you could check on each pageload if the difference between the current time and the stored time (last activity) is greater than 3600 seconds (1 hour). If it is, call your logout routine. If it's not, update the timestamp in the session and carry on as usual.

ShawnK

Brad, if they are inactive...then there will be no oppritunity to check via page loads? correct?

bradgrafelman

Right, the check would only be performed the next time they access something.

If there's some practical purpose of immediately clearing out their session data after they are considered "inactive," I'm all for hearing it - there's probably ways to achieve the end goal. I just didn't see any practical reason mentioned, so I figured this would be the easiest route.

ShawnK

I know my online bank, BankOfAmerica uses a javascript timer, and aftre 10 minutes of inactivity it uses an alert() and redirects to my log out page...

juronimo

bradgrafelman wrote:
Right, the check would only be performed the next time they access something.

If there's some practical purpose of immediately clearing out their session data after they are considered "inactive," I'm all for hearing it - there's probably ways to achieve the end goal. I just didn't see any practical reason mentioned, so I figured this would be the easiest route.

I did what you suggested, and it works on page loads. After 1 hour if a user tries to access something, it logs them out. However if the user logs in and the session reminds idle for an extended period of time, the session won't know to log them out until a user does something.

The BofA setup would be perfect for what I'm trying to do. That's possible with javascript? That might be the solution I'm looking for.

If anyone else has any suggestions, I'm open to it. Thanks for your help so far.

devinemke

you could run a cron every hour that polls the db for any sessions that have had no activity for an hour and run your logout routine on those rows.

juronimo

I think I found a solution.

http://www.devshed.com/c/a/JavaScript/Using-Timers-in-JavaScript/1/

It's a tutorial on how to use javascript timers. What I can do is if there's an hour of inactivity I can redirect the page to the logout script, which clears the sessions from the db.

I don't know if I'll be able to use crons as I don't have access to a dedicated box with SSH access but maybe in a future implementation I might do something like that.

I'll report back to let you guys know if this works.

bradgrafelman

Out of curiosity, why is it important that the session be immediately "expired" after a certain time rather than on the next page load? Is there some sort of counter you're using that shows the number of active sessions?

juronimo

bradgrafelman wrote:
Out of curiosity, why is it important that the session be immediately "expired" after a certain time rather than on the next page load? Is there some sort of counter you're using that shows the number of active sessions?

It's an application where an administrator has to see how many users are online and using the application, so that the administrator can assign the users work in real time. I don't want the users to be assigned work if they're not active.

juronimo

The javascript is working well. I'll mark the thread resolved.