Results 1 to 8 of 8

Thread: Automatic Logout after 15 minutes of inactive

  1. #1
    Join Date
    Aug 2007
    Location
    Malaysia
    Posts
    117
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Automatic Logout after 15 minutes of inactive

    Hey,guys!May I know how to have function of automatic logout if users have inactive more than 15 minutes ?Thanks....

  2. #2
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    Store the start time, and update with any activity; then constantly check to be sure that time is less than 15 minutes-- if not, you should delete the cookie, unset the session, delete the database entry, or remove their name from a list, based on whatever method you use for storing the login.
    The only method that has this built in would be using a cookie and setting the time for 15 minutes, though that would be 15 minutes, not 15 minutes restarted with any activity (though you could set that, too). Aside from that, removing it will need to be a reaction based on it being more than 15 minutes; or, you could do the same but by only confirming the login if the time is less than 15 minutes.

    Generally, sessions are just fine for this type of thing and have a built in time out based on the browsers.

    Sessions* and cookies aren't secure, though, as the user could reactivate them, unless you had a server side backup (though I'm not sure how important that is).

    (*Session data is entirely secure, but the session id, which gives access to that session and session data, is not secure as it must be stored client side and can therefore be modified by the user.)
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  3. #3
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    (*Session data is entirely secure, but the session id, which gives access to that session and session data, is not secure as it must be stored client side and can therefore be modified by the user.)
    But the actual session data can't. The user couldn't "reactivate" his/her session.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  4. #4
    Join Date
    Mar 2006
    Location
    Illinois, USA
    Posts
    12,162
    Thanks
    263
    Thanked 690 Times in 678 Posts

    Default

    The user could indeed reactivate a session if it was still stored on the server, though that wouldn't be re-"activating" it... just continuing.

    Access to whatever information is stored in a session at a given time is accessible via said ID, unless there is another layer of protection (I like using IP verification myself).
    Daniel - Freelance Web Design | <?php?> | <html>| espa˝ol | Deutsch | italiano | portuguŕs | catalÓ | un peu de franšais | some knowledge of several other languages: I can sometimes help translate here on DD | Linguistics Forum

  5. #5
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,878
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    The user could indeed reactivate a session if it was still stored on the server, though that wouldn't be re-"activating" it... just continuing.
    Not after the session had been destroyed...
    Access to whatever information is stored in a session at a given time is accessible via said ID, unless there is another layer of protection (I like using IP verification myself).
    I actually advised this to you, if I remember correctly, but I think you may have misunderstood me. The data stored in a session is inaccessible to any but PHP scripts on that server. Those scripts may disclose that data to the user, but the user has no more access to read or modify it than that granted by scripts. The risk is of one user stealing another's session ID and using it to falsely identify him/herself to the scripts, which can be helped somewhat by IP verification. It is, however, sufficiently difficult to falsely obtain a session ID in the first place that this is only a protection against a slim chance, certainly not a vital security measure. More important, if it is paramount that the users not have access to one another's accounts, would be to use HTTPS to help prevent stealing the SID in the first place.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends franšais | entiendo espa˝ol | t˘i Ýt hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  6. #6
    Join Date
    May 2008
    Location
    indonesia..the most beautifull country
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    hey i've been searching for this too...

    yesterday i got a simple script which can create an automatic logout......the key is time on session....the time of user login + 15 minutes (in script using second) and if the time of new login is up then redirect user to login page and destroy his session..

    PHP Code:
    <?php
         session_start
    ();
         
    $_SESSION['session_time'] = time(); //got the login time for user in second
         
    $session_logout 900//it means 15 minutes.
         //and then cek the time session
        
    if($session_logout >= $_SESSION('session_time']){
            
    //user session time is up
           //destroy the session
          
    session_destroy();
         
    //redirect to login page
         
    header("Location:the-path-your-login-page.php");
        }
    ?>

    CMIIW v

  7. #7
    Join Date
    Dec 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Correct code PHP Automatic Session Logout

    sandhee_tube, your code will never work as is. Your code resets $_SESSION['session_time'] every time you call the script before checking if the time has run out. It will never time out.

    Here is complete bugfree working code:

    PHP Code:
    <?php
    session_start
    ();
    $timeout 10// Set timeout minutes
    $logout_redirect_url "index.php"// Set logout URL

    $timeout $timeout 60// Converts minutes to seconds
    if (isset($_SESSION['start_time'])) {
        
    $elapsed_time time() - $_SESSION['start_time'];
        if (
    $elapsed_time >= $timeout) {
            
    session_destroy();
            
    header("Location: $logout_redirect_url");
        }
    }
    $_SESSION['start_time'] = time();
    ?>
    Last edited by benanamen; 12-11-2010 at 05:56 PM. Reason: Added code tags

  8. #8
    Join Date
    Dec 2010
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Compact version PHP Automatic Session Logout

    This a more compact version of the previous script. Main difference is this one does not convert the minutes to seconds for you which means you would need to figure out how many seconds are in the time you want to auto logout.



    PHP Code:
    <?php
    session_start
    ();
    $inactive 10// Set timeout period in seconds

    if (isset($_SESSION['timeout'])) {
        
    $session_life time() - $_SESSION['timeout'];
        if (
    $session_life $inactive) {
            
    session_destroy();
            
    header("Location: logoutpage.php");
        }
    }
    $_SESSION['timeout'] = time();
    ?>
    Last edited by benanamen; 12-11-2010 at 11:54 PM.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •