Allau Bhaklar Allau Bhaklar - 2 months ago 17
PHP Question

PHP simple session-timeout

I have a project for university in which we should develop a static website with free session.
I need a simple php timeout code.
Is correct to use this? code:

<?php
if ($_SESSION['timeout'] + $minutes * 60 < time()) {
// session timed out
} else {
// session ok
}
?>


$_SESSION['timeout']
was set to
time();

Answer

it depends on your website logic. Try to use this if you want.

<?php
session_start(); $t=time(); $diff=0; $new=false;
if (isset($_SESSION['time'])){
$t0=$_SESSION['time']; $diff=($t-$t0); // inactivity period
} else {
$new=true;
}
if ($new || ($diff > 10)) { // new or with inactivity period too long
//session_unset(); // Deprecated
$_SESSION=array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) { // PHP using cookies to handle session
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 3600*24, $params["path"],
$params["domain"], $params["secure"], $params["httponly"]);
}
session_destroy(); // destroy session
// redirect client to login page
header('HTTP/1.1 307 temporary redirect');
header('Location: login.php?msg=SessionTimeOut');
exit; // IMPORTANT to avoid further output from the script
} else {
$_SESSION['time']=time(); /* update time */
echo '<html><body>Tempo ultimo accesso aggiornato: ' .$_SESSION['time'].'</body></html>';
}
?>

But I suggest to use session_regenerate_id() instead of session_destroy()

Comments