Automatic Logout after 15 minutes of inactive

**devil_vin** · 10-23-2007, 04:40 PM

Hey,guys!May I know how to have function of automatic logout if users have inactive more than 15 minutes ?Thanks....

**djr33** · 10-23-2007, 06:06 PM

Store the start time, and update with any activity; then constantly check to be sure that time is less than 15 minutes-- if not, you should delete the cookie, unset the session, delete the database entry, or remove their name from a list, based on whatever method you use for storing the login.
The only method that has this built in would be using a cookie and setting the time for 15 minutes, though that would be 15 minutes, not 15 minutes restarted with any activity (though you could set that, too). Aside from that, removing it will need to be a reaction based on it being more than 15 minutes; or, you could do the same but by only confirming the login if the time is less than 15 minutes.

Generally, sessions are just fine for this type of thing and have a built in time out based on the browsers.

Sessions* and cookies aren't secure, though, as the user could reactivate them, unless you had a server side backup (though I'm not sure how important that is).

(*Session data is entirely secure, but the session id, which gives access to that session and session data, is not secure as it must be stored client side and can therefore be modified by the user.)

**Twey** · 10-23-2007, 08:19 PM

(*Session data is entirely secure, but the session id, which gives access to that session and session data, is not secure as it must be stored client side and can therefore be modified by the user.)

But the actual session data can't. The user couldn't "reactivate" his/her session.

**djr33** · 10-23-2007, 09:19 PM

The user could indeed reactivate a session if it was still stored on the server, though that wouldn't be re-"activating" it... just continuing.

Access to whatever information is stored in a session at a given time is accessible via said ID, unless there is another layer of protection (I like using IP verification myself).

**Twey** · 10-23-2007, 10:01 PM

The user could indeed reactivate a session if it was still stored on the server, though that wouldn't be re-"activating" it... just continuing.

Not after the session had been destroyed...

Access to whatever information is stored in a session at a given time is accessible via said ID, unless there is another layer of protection (I like using IP verification myself).

I actually advised this to you, if I remember correctly, but I think you may have misunderstood me. The data stored in a session is inaccessible to any but PHP scripts on that server. Those scripts may disclose that data to the user, but the user has no more access to read or modify it than that granted by scripts. The risk is of one user stealing another's session ID and using it to falsely identify him/herself to the scripts, which can be helped somewhat by IP verification. It is, however, sufficiently difficult to falsely obtain a session ID in the first place that this is only a protection against a slim chance, certainly not a vital security measure. More important, if it is paramount that the users not have access to one another's accounts, would be to use HTTPS to help prevent stealing the SID in the first place.

**sandhee_tube** · 05-12-2008, 08:16 AM

hey i've been searching for this too...

yesterday i got a simple script which can create an automatic logout......the key is time on session....the time of user login + 15 minutes (in script using second) and if the time of new login is up then redirect user to login page and destroy his session..

PHP Code:


<?php

     session_start();

     $_SESSION['session_time'] = time(); //got the login time for user in second

     $session_logout = 900; //it means 15 minutes.

     //and then cek the time session

    if($session_logout >= $_SESSION('session_time']){

        //user session time is up

       //destroy the session

      session_destroy();

     //redirect to login page

     header("Location:the-path-your-login-page.php");

    }

?>

CMIIW

v

**benanamen** · 12-11-2010, 05:39 PM

sandhee_tube, your code will never work as is. Your code resets $_SESSION['session_time'] every time you call the script before checking if the time has run out. It will never time out.

Here is complete bugfree working code:

PHP Code:


<?php
session_start();
$timeout = 10; // Set timeout minutes
$logout_redirect_url = "index.php"; // Set logout URL

$timeout = $timeout * 60; // Converts minutes to seconds
if (isset($_SESSION['start_time'])) {
    $elapsed_time = time() - $_SESSION['start_time'];
    if ($elapsed_time >= $timeout) {
        session_destroy();
        header("Location: $logout_redirect_url");
    }
}
$_SESSION['start_time'] = time();
?>

**benanamen** · 12-11-2010, 06:16 PM

This a more compact version of the previous script. Main difference is this one does not convert the minutes to seconds for you which means you would need to figure out how many seconds are in the time you want to auto logout.

PHP Code:


<?php
session_start();
$inactive = 10; // Set timeout period in seconds

if (isset($_SESSION['timeout'])) {
    $session_life = time() - $_SESSION['timeout'];
    if ($session_life > $inactive) {
        session_destroy();
        header("Location: logoutpage.php");
    }
}
$_SESSION['timeout'] = time();
?>

Thread: Automatic Logout after 15 minutes of inactive

Thread Tools

Search Thread

Automatic Logout after 15 minutes of inactive

Correct code PHP Automatic Session Logout

Compact version PHP Automatic Session Logout

Bookmarks

Bookmarks

Posting Permissions