Instead of doing a search for files [which involves more i/o ] etc, What is a session cookie: Session Cookie
A better way is to store a time stamp of the 'most recent activity' in the $_SESSION variable.
And updating the session data on every request [including the automated periodic ajax calls if any].
Lets say you want to unset the session after 10 minutes,
if [isset[$_SESSION['most_recent_activity']] &&
[time[] - $_SESSION['most_recent_activity'] > 600]] {
//600 seconds = 10 minutes
session_destroy[];
session_unset[];
}
$_SESSION['most_recent_activity'] = time[]; // the start of the session.
To avoid attacks like Session fixation: [Session Fixation is an attack that permits an attacker to hijack a valid user session] keep regenerating the session id periodically say for 5 mins [I would suggest to keep the regeneration time as well as session expire time a bit more]. A more elaborate list of attacks: attack list.
if [!isset[$_SESSION['CREATED']]] {
$_SESSION['CREATED'] = time[];
}
else if [time[] - $_SESSION['CREATED'] > 600] {
session_regenerate_id[true];
$_SESSION['CREATED'] = time[];
}
Also, make sure session.gc-maxlifetime is set to the maximum expire time you want to use. You can do this
ini_set['session.gc-maxlifetime', 600]
Or Set it directly in your php.ini.
and also
session.cookie_lifetime :
session.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser.
But, destroying the session must be taken care at the server-side and not the client-side. Setting the session.cookie_lifetime set to 0 would make the session’s cookie behave the way a session cookie should i.e. that a session cookie is only valid until the browser is closed.
Although this method is a tad tedious, Its more elegant.
Ah, found the link which I had read a long time ago! : How do I expire a PHP session after 30 minutes?
View Discussion
Improve Article
Save Article
View Discussion
Improve Article
Save Article
In PHP, we create sessions for the user who is logged in and make that user online till the user log out of that session. It can be done by clicking on the logout button or by destroying that session after a fixed time.
By default the expiry time of any particular session that is created is 1440 secs i.e. [24*60] i.e. 24 minutes. But in some cases, we need to change the default time accordingly.
We can do that in 2 ways.
1. We can change it in the php.ini file, and change the configuration, but that will change the default time for all the sites working on that server and that will be a hindrance to all other sites.So the second option is preferable.
2. We can logically change the destroy time of the session. We take the time of the creation of the session by calculating the system current time and as the user browses to different pages of the script will check for the expiry time i.e. is explicitly declared as session-expiry.
File Structure:
index.php: If you enter wrong credentials it will throw an error, If you enter correct credentials you will be redirected to “HomePage.php” and destroy session after 1 minute.The developer can change the time accordingly.