Hi All,
How can i set the session time out in PHP if the user stays inactive for a certain time in a web page.Please help me to solve this..

Thanks

session_start();

// 10 mins in seconds
$inactive = 600; 

$session_life = time() - $_session['timeout'];

if($session_life > $inactive)
{  session_destroy(); header("Location: logoutpage.php");     }

S_session['timeout']=time();

I'd been looking for a solution to this problem as well and had no success with most of the suggestions I'd come across (namely those involving "session.gc.maxlifetime"). Maybe I was implementing them wrong or something...I don't know. But this solution from Amigura finally worked the way I wanted it to. Or it ALMOST did anyway. The following slight rewrite to Amigura's code worked perfectly:

session_start();

// set timeout period in seconds
$inactive = 600;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
	$session_life = time() - $_SESSION['start'];
	if($session_life > $inactive)
        { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

At first the original code just kept redirecting me back to my login page because "$_SESSION" didn't exist until after the inactivity check on the first page after login. And you obviously can't set the timeout variable just before you check for inactivity or it will never timeout. Once I added the check that makes sure the timeout variable exists before it checks for inactivity and corrected the typo where Amigura used an "S" instead of a "$," it worked like a champ. Thanks and I hope this helps others with the same problem.

yeah the isset would of helped :$
nice rewrite Rockcreektech apart from $_SESSION needs to be $_SESSION;

Oops :$

I changed $_SESSION to $_SESSION on my own script. Then I decided I should probably keep it as close to yours as possible when I posted my rewrite on the site, but I forgot to change that one back apparently. The fully corrected code should be:

session_start();

// set timeout period in seconds
$inactive = 600;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
	$session_life = time() - $_SESSION['timeout'];
	if($session_life > $inactive)
        { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

Thanks again Amigura.

Hi all,

I'm kinda newbie at this. But I was just wondering where are you placing this code? On every page? or just on the main login page, etc? Thanks

Mike

Oops :$

I changed $_SESSION to $_SESSION on my own script. Then I decided I should probably keep it as close to yours as possible when I posted my rewrite on the site, but I forgot to change that one back apparently. The fully corrected code should be:

session_start();

// set timeout period in seconds
$inactive = 600;

// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
	$session_life = time() - $_SESSION['timeout'];
	if($session_life > $inactive)
        { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

Thanks again Amigura.

It needs to go on every page. And keep in mind this is only the timeout script...not the script that checks to make sure you're logged in. This just makes sure that if someone walks away after they logged in that they get logged back out. The complete script that I put at the top of every page on my site is this:

session_cache_expire( 20 );
session_start(); // NEVER FORGET TO START THE SESSION!!!
$inactive = 1200;
if(isset($_SESSION['start']) ) {
	$session_life = time() - $_SESSION['start'];
	if($session_life > $inactive){
		header("Location: user_logout.php");
	}
}
$_SESSION['start'] = time();

if($_SESSION['valid_user'] != true){
header('Location: ../index.php');

}else{

Notice that it's basically the timeout script (with a little modification) followed by a script that checks to see if the session variable "$_SESSION" is set to "true" and sends you back to the login page if it's not. Then all you have to do is set $_SESSION to "true" when the person successfully logs in they'll have access to every page that has this at the top. But if they sit idle for longer the the value of $inactive (in my case 20 minutes) the session automatically gets destroyed which unsets $_SESSION thus making it so they can't get back to the protected pages without logging in again.

I'm sure that was WAY more information than you were probably hoping for :D but maybe it'll help somebody. Good luck with it.

Hi all,

I'm kinda newbie at this. But I was just wondering where are you placing this code? On every page? or just on the main login page, etc? Thanks

Mike

HI,

New to PHP coding and tried the timeout code which works, but I would like it to, after the session destroy, automatically go to the login page. What it now is stay in the secured area and then when you click on another link it goes to the login page. Say the user has private information that they have displaying and forgot to log off. It will sit there until one tries to access another page.

Any help will be greatly appreciated.

hi roberts,
in login page we first write like this right

<?
session_start(); 
include('functions.php');

if($_SERVER['REQUEST_METHOD']=="POST"){

	$qer="select * from users where username='".$_POST['username']."' and password='".$_POST['password']."'";
	$res=mysql_query($qer);
	$num=mysql_num_rows($res);
	if($num==0)
		{
			$msg=1;
		}
	else if($num==1)
		{
			session_unregister("user_name");
			session_register("user_name");
			$_SESSION['user_name']=$_POST['username'];
			
			session_unregister("adminid");
			session_register("adminid");
			$_SESSION['userid']=getdata("user","id","username='".$_POST['username']."' and password='".$_POST['password']."'");

			echo'<script language="javascript">window.location.href="welcome.php";</script>';
		}
}
?>

so,every time user forget to log out the session will destroy after sometime
and the method u want to use ""What it now is stay in the secured area and then when you click on another link it goes to the login page" is really unsafe and as mentioned u can set session destroy time

Leslie,

You'll notice in the script that, if the session has reached the timeout period, a page refresh or trying to go to another secure page will destroy the session then cause the browser to redirect to a file called "logoutpage.php". This could just as easily be "loginpage.php" or anywhere else you might want it to go. Then if you want to make it so that the user cannot accidentally leave secure information visible on screen indefinitely until someone tries to refresh or access another page then all you'd have to do is put something like:

<meta http-equiv="refresh" content="605">

into the html part of your secure pages. This will force the browser to refresh the page 5 seconds after my 600 second (10 minute) timeout interval, thus causing the session to be destroyed and the browser to redirect to "logoutpage.php" automatically without a human needing to be present. Of course you can set the times for whatever you want, just as long as the refresh time (content="605" in this case) is longer than the timeout period. Otherwise the browser would automatically keep the session alive forever.

HI,

New to PHP coding and tried the timeout code which works, but I would like it to, after the session destroy, automatically go to the login page. What it now is stay in the secured area and then when you click on another link it goes to the login page. Say the user has private information that they have displaying and forgot to log off. It will sit there until one tries to access another page.

Any help will be greatly appreciated.

what or were do you initalize timeout?

session_start();

// 10 mins in seconds
$inactive = 600; 

$session_life = time() - $_session['timeout'];

if($session_life > $inactive)
{  session_destroy(); header("Location: logoutpage.php");     }

S_session['timeout']=time();

Does it have to explicitly have to go on every page or could I include "expire.php"; ? Also... on user_logout.php, would I need to specifically unset and destroy the session or does cache expiration take care of that for me well enough?

My dev server is at home so I don't worry about it too much. Once things are working right they get moved to shared hosting... so no access to php.ini, I just want to make sure I don't have to create a new path for my junk just to avoid being an annoying e-neighbor.


It needs to go on every page. And keep in mind this is only the timeout script...not the script that checks to make sure you're logged in. This just makes sure that if someone walks away after they logged in that they get logged back out. The complete script that I put at the top of every page on my site is this:

session_cache_expire( 20 );
session_start(); // NEVER FORGET TO START THE SESSION!!!
$inactive = 1200;
if(isset($_SESSION['start']) ) {
	$session_life = time() - $_SESSION['start'];
	if($session_life > $inactive){
		header("Location: user_logout.php");
	}
}
$_SESSION['start'] = time();

if($_SESSION['valid_user'] != true){
header('Location: ../index.php');

}else{

Notice that it's basically the timeout script (with a little modification) followed by a script that checks to see if the session variable "$_SESSION" is set to "true" and sends you back to the login page if it's not. Then all you have to do is set $_SESSION to "true" when the person successfully logs in they'll have access to every page that has this at the top. But if they sit idle for longer the the value of $inactive (in my case 20 minutes) the session automatically gets destroyed which unsets $_SESSION thus making it so they can't get back to the protected pages without logging in again.

I'm sure that was WAY more information than you were probably hoping for :D but maybe it'll help somebody. Good luck with it.

Hi everyone,

I know this is an old post but I was just thinking this would be a complete how-to if there was the addition of a javascript popup warning the user that their session is about to expire. Say if you use 605 as in the previous example then the javascript popup would set the warning at 585 if you want 20 second warning and an option to refresh or click ok to let the session end. It would come in real handy if a user is typing a long text in a text box so it doesn't end the session and make them loose everything they typed when they go to click the submit button.

That happens in my webmail with exchange quite often because they have it set to timeout too soon at my place of work. I click send and it takes me to the login page but my email I spent 5 or 10 minutes writing just disapears.

I'll put in the script when I get home tonight unless someone else wants to go ahead and post it.

<?
$a = 3000000;
for($i=0;$i<$a;$i++){
?>
<SCRIPT LANGUAGE="JavaScript" TYPE="text/javascript">
alert ("Time=Get(time) . <? echo $i; ?> left : <? echo $a-$i; ?>")
</SCRIPT>
<?
}
?>

Hi all,

I'm kinda newbie at this. But I was just wondering where are you placing this code? On every page? or just on the main login page, etc? Thanks

Mike

Put it on separate page and include it on every page needed!

Hmm you dont have to put on every page... you could simply make it part of an included part such as a header.php :)

but thanks for the info :P

hello, why do you need the session_cache_expire(20) ? It seems that the rest of the code does not need it.
Thank you

I was curious if anyone had an addition to this post that would allow it to have a popup window asking if user wanted to refresh their time? Any clue how this could be added. Never done much with popups. Also, I want to pull time from database and update database upon refresh. Anyone know how to do this? if so, can you post code please??

Edited 4 Years Ago by pritaeas: Removed reference to next post (was removed)

I did :) and while this was very helpful I am having problems getting it to work in the "website in a box" setup I am using. I am probably trying too hard.

I have one more question, in my web application if i deletes the history still m able to access my application. It should not allow me to access the application right?
please any suggestion for this it will helps me.

you ALWAYS have to die() after header('location

otherwise the page continues through and session varibles can get really really goofy. See the manual.

If you use any code in this thread and give the server heavy load, nobody can logout because it destorys the session, then creates a new one with a new session time on the same page before logout.php can load.

header('logout.php'); die; // fixed.

Edited 2 Years Ago by poetfreak: gave example and explained

Using this is it possible to tell the user session expired please login again?

<meta http-equiv="refresh" content="605">

This would just refresh the page after 10 minutes. Yes if session expired, then you'd need to log in again. Forcing a refresh (page reload) is not nice though. Don't think I'd like it.

Jay_14 this is a seven years old post , why in earth would you like to contribute to something that is really out of date ? If you want just to announce yourself there is always the community. Also the answer you gave seems seven years old also , (back then I used more advanced techniques for such things than that, but lets say that seven years ago that would be considered as an option to non professionals). Are you a time traveler from SEVEN years ago that don't want to embrace future (or even present) ?

This is not just a comment , I would really love to read why you decided to post that. I can't understand it , and if something is so alien I give many efforts to got it. Please help me to understand you. Why did you posted this , and how did you find this thread ?

Hi I have been stuck on setting session timeout to my page. I would like the session timeout to work on pages after user logs in. However, I not sure on how to get it done. How to check whether user is log in?

 if (! isset ( $_SESSION ["isLoggedIn"] ) || ! ($_SESSION ['isLoggedIn']))

I found this but it seems both is similar. Correct me if i am wrong. I know it is an old post but I hope someone willing to help me.

SitiNuraini this is not an old post , this is seven years old post , more over it has been solved . Why do you hesitate to create a new thread to express the problem you have ? And if we can help we will

This article has been dead for over six months. Start a new discussion instead.