Force PHP session to expire after one minute?

Forum Moderators: coopster

Message Too Old, No Replies

Force PHP session to expire after one minute?

JAB Creations

1:07 am on Jun 1, 2010 (gmt 0)

Regardless of how much reading and testing I keep doing I can't seem to get my site on localhost to kill the session and thus automatically log me out.

I've tried things like this...

ini_set('session.gc_maxlifetime',1);
ini_set('session.gc_probability',1);
ini_set('session.gc_divisor',1);

...and I'm still signed in a minute and few seconds later after not touching my computer at all.

Suggestions please?

omoutop

6:01 am on Jun 1, 2010 (gmt 0)

try this (untested)

session_start();
// set timeout period in seconds
$inactive = 60;
// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) )
{
$session_life = time() - $_SESSION['start'];
if($session_life > $inactive) { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

Matthew1980

7:24 am on Jun 1, 2010 (gmt 0)

Hi there JAB_creations,

I had this recently, and I pretty much did what omoutop suggests, with the exception of using unset($_SESSION); in conjunction with session_destroy($_SESSION); then I just popped this into a function and placed it at the top of the main header file, so that everytime I tried a link the page was redirected to login/home page - or whatever you like (obviously ;))

I never messed with the ini file though as I prefer not to touch that.

Other than that, $_SESSION by default will last a while, as the PHPSESSID will still be there, and I think (though I could be wrong) that sessions last for 25 mins by default, and you can only end them by shutting down the browser.

Alternatively you can set a $_COOKIE and just use that as a counter of sorts and whenever a link is clicked check & re-check the $_COOKIE to see if the session is valid and if not, re-login.

There a a few options available, and even though isset() and empty() are the same, I get more 'cooperation' from using empty() to check a $_SESSION - I do wish as I could figure that one out ;)

Cheers,
MRb

jatar_k

1:13 pm on Jun 1, 2010 (gmt 0)

gc is unreliable, servers seem to be creative too often

standard is to set a timestamp at login
compare with your timeout
if it hasn't timed out then refresh the timestamp

shouldn't this
$session_life = time() - $_SESSION['start'];
be
$session_life = time() - $_SESSION['timeout'];

I don't use the cookie as the timer as that is then stored on the user side, I know there is always a cookie but it only contains a session id, no data

>> sessions last for 25 mins by default

it's a server setting so it can be anything but the most common is 30 mins

>> even though isset() and empty() are the same

ah but they are not. isset checks that a var exists within scope and is not NULL.

empty on the other hand checks to see if the var has a value of empty, there are a few things that are considered empty. some comparisons to isset on the page as well
[php.net...]

I usually do checks for isset and not empty and of the appropriate type when check existence of session vars and I check all standard session elements.

JAB Creations

5:37 am on Jun 7, 2010 (gmt 0)

I finally got this working both locally and live; not sure what I was doing wrong, might have been setting the name before the timeout? Any way thanks for the replies!

- John

session_set_cookie_params('30');//30 seconds
session_name('user');
session_start();

[edited by: JAB_Creations at 5:40 am (utc) on Jun 7, 2010]