PDA

View Full Version : Automatic Logout after 15 minutes of inactive



devil_vin
10-23-2007, 04:40 PM
Hey,guys!May I know how to have function of automatic logout if users have inactive more than 15 minutes ?Thanks....

djr33
10-23-2007, 06:06 PM
Store the start time, and update with any activity; then constantly check to be sure that time is less than 15 minutes-- if not, you should delete the cookie, unset the session, delete the database entry, or remove their name from a list, based on whatever method you use for storing the login.
The only method that has this built in would be using a cookie and setting the time for 15 minutes, though that would be 15 minutes, not 15 minutes restarted with any activity (though you could set that, too). Aside from that, removing it will need to be a reaction based on it being more than 15 minutes; or, you could do the same but by only confirming the login if the time is less than 15 minutes.

Generally, sessions are just fine for this type of thing and have a built in time out based on the browsers.

Sessions* and cookies aren't secure, though, as the user could reactivate them, unless you had a server side backup (though I'm not sure how important that is).

(*Session data is entirely secure, but the session id, which gives access to that session and session data, is not secure as it must be stored client side and can therefore be modified by the user.)

Twey
10-23-2007, 08:19 PM
(*Session data is entirely secure, but the session id, which gives access to that session and session data, is not secure as it must be stored client side and can therefore be modified by the user.)But the actual session data can't. The user couldn't "reactivate" his/her session.

djr33
10-23-2007, 09:19 PM
The user could indeed reactivate a session if it was still stored on the server, though that wouldn't be re-"activating" it... just continuing.

Access to whatever information is stored in a session at a given time is accessible via said ID, unless there is another layer of protection (I like using IP verification myself).

Twey
10-23-2007, 10:01 PM
The user could indeed reactivate a session if it was still stored on the server, though that wouldn't be re-"activating" it... just continuing.Not after the session had been destroyed...
Access to whatever information is stored in a session at a given time is accessible via said ID, unless there is another layer of protection (I like using IP verification myself).I actually advised this to you, if I remember correctly, but I think you may have misunderstood me. The data stored in a session is inaccessible to any but PHP scripts on that server. Those scripts may disclose that data to the user, but the user has no more access to read or modify it than that granted by scripts. The risk is of one user stealing another's session ID and using it to falsely identify him/herself to the scripts, which can be helped somewhat by IP verification. It is, however, sufficiently difficult to falsely obtain a session ID in the first place that this is only a protection against a slim chance, certainly not a vital security measure. More important, if it is paramount that the users not have access to one another's accounts, would be to use HTTPS to help prevent stealing the SID in the first place.

sandhee_tube
05-12-2008, 08:16 AM
hey i've been searching for this too...

yesterday i got a simple script which can create an automatic logout......the key is time on session....the time of user login + 15 minutes (in script using second) and if the time of new login is up then redirect user to login page and destroy his session..



<?php
session_start();
$_SESSION['session_time'] = time(); //got the login time for user in second
$session_logout = 900; //it means 15 minutes.
//and then cek the time session
if($session_logout >= $_SESSION('session_time']){
//user session time is up
//destroy the session
session_destroy();
//redirect to login page
header("Location:the-path-your-login-page.php");
}
?>





CMIIW :Dv

benanamen
12-11-2010, 05:39 PM
sandhee_tube, your code will never work as is. Your code resets $_SESSION['session_time'] every time you call the script before checking if the time has run out. It will never time out.

Here is complete bugfree working code:


<?php
session_start();
$timeout = 10; // Set timeout minutes
$logout_redirect_url = "index.php"; // Set logout URL

$timeout = $timeout * 60; // Converts minutes to seconds
if (isset($_SESSION['start_time'])) {
$elapsed_time = time() - $_SESSION['start_time'];
if ($elapsed_time >= $timeout) {
session_destroy();
header("Location: $logout_redirect_url");
}
}
$_SESSION['start_time'] = time();
?>

benanamen
12-11-2010, 06:16 PM
This a more compact version of the previous script. Main difference is this one does not convert the minutes to seconds for you which means you would need to figure out how many seconds are in the time you want to auto logout.




<?php
session_start();
$inactive = 10; // Set timeout period in seconds

if (isset($_SESSION['timeout'])) {
$session_life = time() - $_SESSION['timeout'];
if ($session_life > $inactive) {
session_destroy();
header("Location: logoutpage.php");
}
}
$_SESSION['timeout'] = time();
?>