session_start();

// 10 mins in seconds
$inactive = 600; 

$session_life = time() - $_session['timeout'];

if($session_life > $inactive)
{  session_destroy(); header("Location: logoutpage.php");     }

S_session['timeout']=time();

I'd been looking for a solution to this problem as well and had no success with most of the suggestions I'd come across (namely those involving "session.gc.maxlifetime"). Maybe I was implementing them wrong or something...I don't know. But this solution from Amigura finally worked the way I wanted it to. Or it ALMOST did anyway. The following slight rewrite to Amigura's code worked perfectly:

session_start();

// set timeout period in seconds
$inactive = 600;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
	$session_life = time() - $_SESSION['start'];
	if($session_life > $inactive)
        { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

At first the original code just kept redirecting me back to my login page because "$_SESSION['timeout']" didn't exist until after the inactivity check on the first page after login. And you obviously can't set the timeout variable just before you check for inactivity or it will never timeout. Once I added the check that makes sure the timeout variable exists before it checks for inactivity and corrected the typo where Amigura used an "S" instead of a "$," it worked like a champ. Thanks and I hope this helps others with the same problem.

yeah the isset would of helped :$
nice rewrite Rockcreektech apart from $_SESSION['start'] needs to be $_SESSION['timeout'];

Oops :$

I changed $_SESSION['timeout'] to $_SESSION['start'] on my own script. Then I decided I should probably keep it as close to yours as possible when I posted my rewrite on the site, but I forgot to change that one back apparently. The fully corrected code should be:

session_start();

// set timeout period in seconds
$inactive = 600;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
	$session_life = time() - $_SESSION['timeout'];
	if($session_life > $inactive)
        { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

Thanks again Amigura.

Hi all,

I'm kinda newbie at this. But I was just wondering where are you placing this code? On every page? or just on the main login page, etc? Thanks

Mike

Oops :$

I changed $_SESSION['timeout'] to $_SESSION['start'] on my own script. Then I decided I should probably keep it as close to yours as possible when I posted my rewrite on the site, but I forgot to change that one back apparently. The fully corrected code should be:

session_start();

// set timeout period in seconds
$inactive = 600;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
	$session_life = time() - $_SESSION['timeout'];
	if($session_life > $inactive)
        { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

Thanks again Amigura.

It needs to go on every page. And keep in mind this is only the timeout script...not the script that checks to make sure you're logged in. This just makes sure that if someone walks away after they logged in that they get logged back out. The complete script that I put at the top of every page on my site is this:

session_cache_expire( 20 );
session_start(); // NEVER FORGET TO START THE SESSION!!!
$inactive = 1200;
if(isset($_SESSION['start']) ) {
	$session_life = time() - $_SESSION['start'];
	if($session_life > $inactive){
		header("Location: user_logout.php");
	}
}
$_SESSION['start'] = time();

if($_SESSION['valid_user'] != true){
header('Location: ../index.php');

}else{

Notice that it's basically the timeout script (with a little modification) followed by a script that checks to see if the session variable "$_SESSION['valid_user']" is set to "true" and sends you back to the login page if it's not. Then all you have to do is set $_SESSION['valid_user'] to "true" when the person successfully logs in they'll have access to every page that has this at the top. But if they sit idle for longer the the value of $inactive (in my case 20 minutes) the session automatically gets destroyed which unsets $_SESSION['valid_user'] thus making it so they can't get back to the protected pages without logging in again.

I'm sure that was WAY more information than you were probably hoping for :D but maybe it'll help somebody. Good luck with it.Hi all,

I'm kinda newbie at this. But I was just wondering where are you placing this code? On every page? or just on the main login page, etc? Thanks

Mike

HI,

New to PHP coding and tried the timeout code which works, but I would like it to, after the session destroy, automatically go to the login page. What it now is stay in the secured area and then when you click on another link it goes to the login page. Say the user has private information that they have displaying and forgot to log off. It will sit there until one tries to access another page.

Any help will be greatly appreciated.

hi roberts,
in login page we first write like this right

<?
session_start(); 
include('functions.php');

if($_SERVER['REQUEST_METHOD']=="POST"){

	$qer="select * from users where username='".$_POST['username']."' and password='".$_POST['password']."'";
	$res=mysql_query($qer);
	$num=mysql_num_rows($res);
	if($num==0)
		{
			$msg=1;
		}
	else if($num==1)
		{
			session_unregister("user_name");
			session_register("user_name");
			$_SESSION['user_name']=$_POST['username'];
			
			session_unregister("adminid");
			session_register("adminid");
			$_SESSION['userid']=getdata("user","id","username='".$_POST['username']."' and password='".$_POST['password']."'");

			echo'<script language="javascript">window.location.href="welcome.php";</script>';
		}
}
?>

so,every time user forget to log out the session will destroy after sometime
and the method u want to use ""What it now is stay in the secured area and then when you click on another link it goes to the login page" is really unsafe and as mentioned u can set session destroy time

Leslie,

You'll notice in the script that, if the session has reached the timeout period, a page refresh or trying to go to another secure page will destroy the session then cause the browser to redirect to a file called "logoutpage.php". This could just as easily be "loginpage.php" or anywhere else you might want it to go. Then if you want to make it so that the user cannot accidentally leave secure information visible on screen indefinitely until someone tries to refresh or access another page then all you'd have to do is put something like:

<meta http-equiv="refresh" content="605">

into the html part of your secure pages. This will force the browser to refresh the page 5 seconds after my 600 second (10 minute) timeout interval, thus causing the session to be destroyed and the browser to redirect to "logoutpage.php" automatically without a human needing to be present. Of course you can set the times for whatever you want, just as long as the refresh time (content="605" in this case) is longer than the timeout period. Otherwise the browser would automatically keep the session alive forever.HI,

New to PHP coding and tried the timeout code which works, but I would like it to, after the session destroy, automatically go to the login page. What it now is stay in the secured area and then when you click on another link it goes to the login page. Say the user has private information that they have displaying and forgot to log off. It will sit there until one tries to access another page.

Any help will be greatly appreciated.

hi every body,

i think u can user ajax tech. to kill PHP session .

:idea:

what or were do you initalize timeout?

session_start();

// 10 mins in seconds
$inactive = 600; 

$session_life = time() - $_session['timeout'];

if($session_life > $inactive)
{  session_destroy(); header("Location: logoutpage.php");     }

S_session['timeout']=time();

Does it have to explicitly have to go on every page or could I include "expire.php"; ? Also... on user_logout.php, would I need to specifically unset and destroy the session or does cache expiration take care of that for me well enough?

My dev server is at home so I don't worry about it too much. Once things are working right they get moved to shared hosting... so no access to php.ini, I just want to make sure I don't have to create a new path for my junk just to avoid being an annoying e-neighbor.

It needs to go on every page. And keep in mind this is only the timeout script...not the script that checks to make sure you're logged in. This just makes sure that if someone walks away after they logged in that they get logged back out. The complete script that I put at the top of every page on my site is this:

session_cache_expire( 20 );
session_start(); // NEVER FORGET TO START THE SESSION!!!
$inactive = 1200;
if(isset($_SESSION['start']) ) {
	$session_life = time() - $_SESSION['start'];
	if($session_life > $inactive){
		header("Location: user_logout.php");
	}
}
$_SESSION['start'] = time();

if($_SESSION['valid_user'] != true){
header('Location: ../index.php');

}else{

Notice that it's basically the timeout script (with a little modification) followed by a script that checks to see if the session variable "$_SESSION['valid_user']" is set to "true" and sends you back to the login page if it's not. Then all you have to do is set $_SESSION['valid_user'] to "true" when the person successfully logs in they'll have access to every page that has this at the top. But if they sit idle for longer the the value of $inactive (in my case 20 minutes) the session automatically gets destroyed which unsets $_SESSION['valid_user'] thus making it so they can't get back to the protected pages without logging in again.

I'm sure that was WAY more information than you were probably hoping for :D but maybe it'll help somebody. Good luck with it.

Hi everyone,

I know this is an old post but I was just thinking this would be a complete how-to if there was the addition of a javascript popup warning the user that their session is about to expire. Say if you use 605 as in the previous example then the javascript popup would set the warning at 585 if you want 20 second warning and an option to refresh or click ok to let the session end. It would come in real handy if a user is typing a long text in a text box so it doesn't end the session and make them loose everything they typed when they go to click the submit button.

That happens in my webmail with exchange quite often because they have it set to timeout too soon at my place of work. I click send and it takes me to the login page but my email I spent 5 or 10 minutes writing just disapears.

I'll put in the script when I get home tonight unless someone else wants to go ahead and post it.

<?
$a = 3000000;
for($i=0;$i<$a;$i++){
?>

<?
}
?>

Hi all,

I'm kinda newbie at this. But I was just wondering where are you placing this code? On every page? or just on the main login page, etc? Thanks

Mike

Put it on separate page and include it on every page needed!

Hi everyone,

I know this is an old post but ....

Start the New thread then. Let the old one die natural death :)

Hmm you dont have to put on every page... you could simply make it part of an included part such as a header.php :)

but thanks for the info :P

Thank you! You really helped me

hello, why do you need the session_cache_expire(20) ? It seems that the rest of the code does not need it.
Thank you