Page 1 of 1

Automatic logout after inactivity

Posted: Fri Aug 15, 2008 6:55 pm
by zplits
Good day everyone. I want to add another security feature to the site that i am creating and that is, automatic logout after 10 minutes of inactivity.

Does anyone know how to do that?

Re: Automatic logout after inactivity

Posted: Fri Aug 15, 2008 8:07 pm
by Jade
I would keep a session with the current time() in it that they last performed an action. Then if the timestamp of the last thing they did is over 10 minutes you can kick them out.

Re: Automatic logout after inactivity

Posted: Fri Aug 15, 2008 8:10 pm
by zplits
Do you sample code? I'm a bit confuse on how it works

Thanks.

Re: Automatic logout after inactivity

Posted: Fri Aug 15, 2008 8:18 pm
by Jade

Code: Select all

 
<?php
session_start();
 
//lets say they're trying to update something
if ($_POST['submit'])
{
    if ($_SESSION['lastchange'] == null) //never made a change before
           $_SESSION['lastchange'] = time();
 
    //check to see if their last change was more then 10 minutes ago
    if ($_SESSION['lastchange'] - time() >= 36000)
    {
        header("location: inactive.php");
        exit;
    }
   
    //otherwise continue with their update, whatever it was
}
 
//this makes sure their time is up to date when they load the page initially
//even if they don't make a change
$_SESSION['lastchange'] = time();
 
//load the rest of your page down here...
?>
 

Re: Automatic logout after inactivity

Posted: Fri Aug 15, 2008 8:26 pm
by zplits
What i mean is that, what if the user doesn't move the mouse, click anything on the site, then that's the time he/she will be logged out.

Is that possible? In javascript it's possible. But if i use javascript is it okay? I also call the logout.php and it destroys the session

Re: Automatic logout after inactivity

Posted: Fri Aug 15, 2008 8:29 pm
by Jade
If you want them to automatically be logged out after ten minutes you'd have to use javascript. If they're not clicking around there's no way you can keep track of it using php. It sounds like exploring the javascript option might be the way to go.

Re: Automatic logout after inactivity

Posted: Fri Aug 15, 2008 9:48 pm
by zplits
ok sir. Thanks for the info. I think I'll use javascript. Thank you very much

Re: Automatic logout after inactivity

Posted: Sat Aug 16, 2008 3:34 am
by Stryks
It's not smiled upon in certain circles, but you could always use a meta redirect.

Code: Select all

<meta http-equiv="refresh" content="600;url=http://www.yoursite.com" />
The 600 tells the browser to wait 600 seconds (10 minutes) and then go to the URL. You cant 100% depend on the browser following the directive, but then you cant 100% depend on users having javascript enabled either.

Also, it's important to realize that sessions time out by themselves after 1440 seconds under a default config. That's 24 minutes. You can use ...

Code: Select all

<?php
ini_set("session.gc_maxlifetime", "600");
?>
... to set a new session timeout, but the trouble with letting the session time-out by itself is that you wont be able to tell the difference between a new user and a timed out user. Of course, that only matters if you want to give your user a pretty message letting them know they were logged out on purpose.

Cheers