Hi. I'm currently in the process of making a database of volunteers for a studentorganisation here in Norway. Overall, the project is going okay, but I'm having some issues with session timeouts. What I'm looking for is a reliable function for avoiding users leaving the session open, and letting others use their login. This is kinda important, since it's going to be lots of personal information in this database. Currently I have a session-timeout for 15 minutes. This happens regardless of activity - which isn't really very useful. What I'm looking for is a way to make the session-timeout (idle-timeout) be around 5 minutes, but refresh that 5minute interval every time something happens on the page - say page reload, querying the database, etc. I'm assuming I have to make something using jQuery in combination with PHP, but I'm not quite sure where to start - anyone have any tips? Any existing module I can start from, etc? Anything and everything will be appreciated!
Hi. How do you plan to set the session to expire in 5 minutes: using the session_set_cookie_params() or ini_set()? In that case I think you might want to call session_id($sid) right before session_start() line. Call it a few seconds before user session expires. So this call might come from browser, sent by jQuery (ajax) at say... 4 minutes interval, passing the $sid parameter to your PHP pages. I haven't tested this though, and am not sure whether there are some extra security measures should be taken. But let me know if it does work Hendra
I use the following code. If the last user action was more then 10 min ago, do a session destroy. <?php session_start(); if (isset($_SESSION["timeout"])) { $sessionTTL = time() - $_SESSION["timeout"]; if ($sessionTTL > 600) { session_destroy(); header("Location: /logout.php"); } } $_SESSION["timeout"] = time(); PHP:
I think one of your issues is you aren't exiting after the header bit... though I'd probably NOT waste the extra handshakes/requests that using header involves, and instead include it then exit. (or have exit at the end of logout.php) Some other things I'd do: 1) use $_SERVER['REQUEST_TIME'] instead of time() -- it's a fraction faster and is based on when the user made the request, instead of when it happens to get to your part of the code. 2) use && instead of the multiple IF statements 3) make timeout actually be WHEN it times out, so the if statement becomes a simple compare... and means not wasting time with an extra variable for nothing. 4) little tip to make it fraction harder to hijack, generate a new session ID every access. session_start(); session_regenerate_id(); if ( isset($_SESSION['timeout']) && ($_SERVER['REQUEST_TIME'] >= $_SESSION['timeout']) ) { session_destroy(); header('Location: /logout.php'); exit; } $_SESSION['timeout'] = $_SERVER['REQUEST_TIME'] + 600; Code (markup): Really though your big problem was letting it drop through when they should be logged out. Hope this helps.