I have read several replies here and I am in the process of testing them now but since this is a problem I need an urgent fix for, I thought it would not hurt to ask again. We have an Apache website that is extremely simple in design. It's main security is simply a username password setup.
We recently got a complaint from one of the people who posts items on the site that he left his laptop and browser open and running on the site when he went home. While this could easily be fixed by telling people to log out when done, I need to find a way to "do it for them" after maybe 5 minutes of inactivity.
While I would not want to go to the next level at this point, I just wondered how hard it would be to force each user to "re-authenticate" every 15 minutes or so? Any help on either or both would be greatly appreciated.
The login script is PHP and contains the procedure for "logout" as well and i was thinking of writing a timer into it that would force the logout after 15 minutes but it would be better to watch for someone who just walked away from their system leaving it open and not being used but left their secured access open for others to use.
I'm assuming you're using a session to track the login. Within the session just keep a "last activity" timestamp that gets checked and updated every time a different page is loaded. When a page is loaded, check the "last activity" against the current time: if more than your timeout time has elapsed i.e. (currenttime - lastactivity) > yourtimeout, log the user out, if it is less than your timeout, update the lastactivity with the current time.
Use a cookie to track the login, and give it an expiry time of 15 minutes from creation. Every time they load another page, or reload the current page, you check for a cookie and if they're logged in you renew the expiry time. If they're going to spend a long time on the same page, this can be an issue.
Use a session to track login. Run a script with a timeout after 15 minutes, and have it close the page at the timeout. The timer will reset every time they reload the page, extending it for anothr 15 minutes. You can (and probably should for safety sake) set the script to run a confirmation box at the 15 minute mark so that it gives them a chance to extend the time without reloading the page (but only give them say 30 seconds to click OK on the confirmation box, otherwise it'll never close the page).