Automatic session timeout/logout using PHP after X Minutes of Inactivity/Idle time

automatic-session-timeout-logout-using-php

PHP Automatic Session Expire after X Minutes of Inactivity/Idle time

 Automatic session timeout/logout using php

 

Session timeout is a notion and the only way you make you sure that no session ever will survive after X minutes of inactivity. Session timeout or Session expire depends on the server configuration or the relevant directives (session.gc_maxlifetime) in php.ini.

 

Typically the default is 1440 seconds(24 minutes), but you can alter the default to something else. Below are some Session configurations.

 

http://php.net/manual/en/session.configuration.php

 

You can update this easily and without writing custom logic.

 

If your sessions are implemented with cookies (which they probably are), and if the clients are not malicious, you can set an time limit on the session duration by tweaking certain parameters. If you are using PHP’s default session handling with cookies, setting session.gc_maxlifetime along with session_set_cookie_params should work for you like this:

 

// server should keep session data for 1 hour
ini_set('session.gc_maxlifetime', 3600);

// each client remember their session id for exactly 1 hour
session_set_cookie_params(3600);

session_start(); // ready to go!

 

You can also put this in .htaccess file with a slight change in syntax.

 

php_value session.gc_maxlifetime 3600

php_value session.gc_probability 1

php_value session.gc_divisor 1

 

session.gc_probability, and session.gc_divisor directives: PHP has garbage collection it uses to clean up sessions that have expired, otherwise on a site with a lot of users accessing the site could cause a huge amount of session files to be continually generated. Garbage collection does not happen automatically and needs to be incorporated into your system maintenance routines.

 

You can also make a custom script that automatically logout a user if user is inactive (not performed any action or idle) for X minutes.

 

1) When user logged in, start session, start session expiry time, like this:

 $_SESSION['expire'] = time() + X*60; 

We took current time, added X minutes in it and stored this in session.

 

2) At every page check that if X minutes (for above script) have been passed or not make a file as include that in that page, like this:

If yes, clear session and logout, like this:

if(time() > $_SESSION['expire']){
    session_destroy();
    session_write_close();
    session_unset();
    $_SESSION = array();
}

 

And then redirect to login page.

 

3) In else statement (if X minutes have not passed), reset time (takes current time and add X minutes in it and restore in session named ‘expire’) stored in session, like this:

else { $_SESSION['expire'] = time()+X*60; }

 

and do nothing – don’t clear sessions, don’t redirect to login page, so that user may stay at website, as much time as he is active.

 

You can also do this purely using JavaScript. Start an countdown timer. Then wait for activity and reset this timer. If there is no activity and timer goes off, you can call your logoff sequence.


/* Resets the timer. The timer is reset on events
   (mouse-move,mouse-click,key press,scrolling),
   these events occurs indicates that user is active on the application:
*/

<body onmousemove="reset_interval()" onclick="reset_interval()" onkeypress="reset_interval()" onscroll="reset_interval()">

<script type="text/javascript">
 
//the interval 'timer' is set as soon as the page loads

var timer = setInterval(function(){ auto_logout() }, 20000);

// the figure '20000' (20 seconds) indicates how many milliseconds the timer be set to.

//e.g. if you want it to set 5 mins, calculate 5min= 5x60=300 sec => 300,000 milliseconds.
 
function reset_interval(){

    //first step: clear the existing timer
    clearInterval(timer);
   
    //second step: implement the timer again
    timer = setInterval(function(){ auto_logout() }, 20000);
    //..completed the reset of the timer

}

function auto_logout(){

    //this function will redirect the user to the logout script
   
    if(confirm("You have been logged out from the application, Press OK to login again!")){
        window.location="your_logout_script.php";
    }

}

</script>

Hope it will works, let me know by your valuable comments if you need any more assistance.

Leave a Reply

Your email address will not be published. Required fields are marked *