Logout user after a specific time of inactivity - php

I am creating a website with more than 10 different php files. I want to check if the user is inactive, starting from the login page. So, if a user logs in and remains idle for a specific period of time, it has to log that user out. I am new to PHP and am currently using an answer to similar question which is
if (isset($_SESSION["LAST_ACTIVITY"])) {
if (time() - $_SESSION["LAST_ACTIVITY"] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
} else if (time() - $_SESSION["LAST_ACTIVITY"] > 60) {
$_SESSION["LAST_ACTIVITY"] = time(); // update last activity time stamp
}
}
I found the answer here:
expire session when there is no activity in PHP
I have created a separate page called session.php and pasted the code in the above link. Then I included the file session.php in my login page (which checks for the credentials entered and logs a user in). The problem is, the if loop is not being run and I do not know how to define $_SESSION['LAST_ACTIVITY'] variable. I used the following in my login page:
$query = "SELECT *
FROM user_details
WHERE username = '$username'
AND password = '$password'";
$result = mysqli_query($dbconnect, $query);
$row = mysqli_fetch_array($result);
$count = mysqli_num_rows($result);
if ($count == 1) {
session_start();
echo "Welcome " .$username. "</br>";
$_SESSION['username'] = $username;
$login_time = time();
$_SESSION["LAST_ACTIVITY"] = $login_time ;
include('session.php');
I also tried including session.php at the beginning of the file but of no use. The problem is: time() - $_SESSION["LAST_ACTIVITY"] is being equalled to 0. How do I store last activity time and compare it with the current time? Also, should I include session.php in every other webpage file for the website to check user activity ? If yes, should I include it at the beginning or at the end ?

This code will solved your problem for session timeout.
<?php
// set timeout period in seconds
$inactive = 60; //after 60 seconds the user gets logged out
// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
$session_life = time() - $_SESSION['timeout'];
if($session_life > $inactive)
{
session_destroy();
header("Location: Logout.php");
}
}
$_SESSION['timeout'] = time();
?>

Related

Destroy PHP sessions by downtime

When you access the system, it generates a session as below:
session_start();
$_SESSION['Logged'] = time();
$_SESSION['Limit'] = 900; // 15 minutes
And when it exits the system, the session is destroyed.
The problem is when the user leaves the system without clicking the exit link and yes directly through the browser. How do I destroy the session by downtime? I tried the code below, but how do I know it's no longer in the system? It is necessary to change the status of the database and closing the system by the browser, I can not change.
session_start();
if($_SESSION['Logged'])
{
$seconds = time()- $_SESSION['Logged'];
}
if($seconds > $_SESSION['Limit'])
{
mysqli_query($this->conexao,"UPDATE table_admin SET StatusAdmin = 0 WHERE IdUser = '".$id."';");
session_destroy();
}
I'm sorry about my English.

PHP $_SESSION AND $_COOKIE Strange behavior

I'm trying to install COOKIES into my website.
I have found a script on GitHub: https://github.com/jotaroita/secure-login-php7-remember-register-resetpw
I have implemented the script and i'm able to login.
I'm able to login with just SESSION, or i can login with both SESSION and set a "Remember me -COOKIE".
To test the COOKIE i have set the SESSION to expire after 1 minute. $expireAfter = 1;
Senario:
I login to the website and check "remember me". Session starts and a cookie is set. Everything fine!
## last action: 1 seconds ago
skip the cookie check: session already set
I wait 60 seconds and reloads the page. Sessions destroys and Cookie reads:
## last action: 108 seconds ago
session destroy for inactivity
cookie read
cookie valid format
cookie right selector
cookie right token
set a new token in DB and in cookie
session set <- Within this message i can output Session data: $_SESSION['user'] at all times
BUT in my other page(home.php) $_SESSION['user'] is empty?! (I include the SESSION and COOKIE check from: check.php) if(isset($_SESSION['last_action'])){ returns true
If i wait another 60 seconds and reload the page if(isset($_SESSION['last_action'])){ returns false. But now the $_SESSION['user'] is set.
If i wait another 60 seconds and reload the page. if(isset($_SESSION['last_action'])){ returns true. But now the $_SESSION['user'] is empty.
home.php
<?php
//START SESSION
session_start();
//CONNECT TO DB, SET HEADER, SET TIMEZONE, CHECK FOR LOGIN-COOKIES
include("check.php");
//CHECK IF SESSION EXIST
if(!isset($_SESSION['user'])) {
$isSesstion = false;
header("Location: /index.php");
}
else{
$isSesstion = true;
}
.....
check.php
<?php
define ("PEPPER",''); //random string for extra salt, use if you want.
define ("WEBSITE",'mydomain.com'); //your web site without http:// without final /
define ("SCRIPTFOLDER",'/login'); //direcory of the script start with a / if you installed the script in the root write just a / never finish with a /
$hosting="localhost"; //your host or localhost
$database="db"; //your database name
$database_user="user"; //your username for database
$database_password="pwd"; //your database password
require_once('pdo_db.php');
//generate random sequence or numbers and letter avoid problems with special chars
function aZ ($n=12) {
$chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
$bytes = random_ver($n);
$result="";
foreach (str_split($bytes) as $byte) $result .= $chars[ord($byte) % strlen($chars)];
return $result;
}
//generate random and avoid compatibility problem with php version
function random_ver ($n=10) {
$v=(int)phpversion()+0;
if ($v<7) {
//if php version < 7 use the old function for generate random bytes
return openssl_random_pseudo_bytes($n);
}else{
//random_bytes is better but works only with php version > 7
return random_bytes($n);
}
}
// ********************************
// * SESSION TIME UPDATE *
// ********************************
//Expire the session if user is inactive for 15 minutes or more.
//if u want to check how cookie works let the session id expire (wait X minutes without action, maybe set expireAfter to low value),
//close the browser then open again
$expireAfter = 1;
//Check to see if our "last action" session
//variable has been set.
if(isset($_SESSION['last_action'])){ echo 'IN';
//Figure out how many seconds have passed
//since the user was last active.
$secondsInactive = time() - $_SESSION['last_action'];
//Convert our minutes into seconds.
$expireAfterSeconds = $expireAfter * 60;
//Check to see if they have been inactive for too long.
$debug.="last action: $secondsInactive seconds ago<br>";
if($secondsInactive >= $expireAfterSeconds){
//User has been inactive for too long.
//Kill their session.
session_unset();
session_destroy();
$debug.="session destroy for inactivity<br>";
}
}
//Assign the current timestamp as the user's
//latest activity
$_SESSION['last_action'] = time();
// *********************************
// * CHECK AUTO LOG-IN WITH COOKIE *
// *********************************
//if session is not set, but cookie exists
if (empty($_SESSION['user']) && !empty($_COOKIE['remember']) && $_GET["logout"]!=1) {
$debug.="cookie read<br>";
list($selector, $authenticator) = explode(':', urldecode($_COOKIE['remember']));
//get from database the row with id and token related to selector code in the cookie
$sql = $db->prepare("SELECT * FROM user_tokens
WHERE selector = ? limit 1");
$sql->bindParam(1, $selector);
$sql->execute();
$row = $sql->fetch(PDO::FETCH_ASSOC);
if (empty($authenticator) or empty($selector))
$debug.="cookie invalid format<br>";
//continue to check the authenticator only if the selector in the cookie is present in the database
if (($sql->rowCount() > 0) && !empty($authenticator) && !empty($selector)) {
$debug.="cookie valid format<br>";
// the token provided is like the token in the database
// the functions password_verify and password_hash add secure salt and avoid timing attacks
if (password_verify(base64_decode($authenticator), $row['hashedvalidator'])){
//SET SESSION DATA
$sql = $db->prepare("SELECT * FROM users WHERE id = ?");
$sql->bindParam(1, $row['userid']);
$sql->execute();
$session_data = $sql->fetch(PDO::FETCH_ASSOC);
//UNSET VARS
unset($session_data['password']);
$_SESSION['user'] = $session_data;
//update database with a new token for the same selector and set the cookie again
$authenticator = bin2hex(random_ver(33));
$res=$db->prepare("UPDATE user_tokens SET hashedvalidator = ? , expires = FROM_UNIXTIME(".(time() + 864000*7).") , ip = ? WHERE selector = ?");
$res->execute(array(password_hash($authenticator, PASSWORD_DEFAULT, ['cost' => 12]),$_SERVER['REMOTE_ADDR'],$selector));
//set the cookie
$setc = setcookie(
'remember',
$selector.':'.base64_encode($authenticator),
time() + 864000*7, //the cookie will be valid for 7 days, or till log-out (if u want change it, modify the login.php file too)
'/',
WEBSITE,
false, // TLS-only set to true if u have a website on https://
false // http-only
);
$debug.="cookie right selector<br>cookie right token<br>set a new token in DB and in cookie<br>session set ".$_SESSION['user']['usr_fname']."<br>";
} else {
//selector exists but token doesnt match. that could be a secure problem, all selector/authenticator in database for that user will be deleted
$res=$db->prepare("DELETE FROM user_tokens WHERE userid = ".$row["userid"]);
$res->execute();
$debug.="cookie right selector<br>cookie wrong token (all DB entry for that user are deleted)<br>";
}
} else {
$debug.="selector not found in DB<br>";
}
} else {
$debug.="skip the cookie check: ";
if (!empty($_SESSION['user'])) $debug.="session already set<br>";
if (empty($_COOKIE['remember'])) $debug.="no cookie set<br>";
}
?>
So, whats wrong with the code?
Why is the $_SESSION filled with data every second time i refresh the webpage?
Why doesn't if(isset($_SESSION['last_action'])){ returns true everytime i refresh the page? And why does $_SESSION carry data in the debug message session set ".$_SESSION['user']['usr_fname']." all the time... but it is not carried over to home.php with the include(check.php"); ?
Do you need some more code? Just ask for it!
I think i found the problem.
After unset & destroy the session. I had to start a new session.
Strange thing this only happens every second time. But adding session_start(); solved the problem!
if(isset($_SESSION['last_action'])){
$secondsInactive = time() - $_SESSION['last_action'];
$expireAfterSeconds = $expireAfter * 60;
$debug.="last action: $secondsInactive seconds ago<br>";
if($secondsInactive >= $expireAfterSeconds){
//User has been inactive for too long.
//Kill their session.
session_unset();
session_destroy();
$debug.="session destroy for inactivity<br>";
}
}
...
session_start();
$_SESSION['user'] = $session_data;
...

How to increase the session time in php

In my web application, when i try to hit authentication service by passing username and password. Following is the code that handles authentication.
ini_set("session.cookie_lifetime","7200"); // 120 minutes
ini_set("session.gc_maxlifetime","7200"); // 120 minutes
session_start();
$_SESSION['logged_in'] = true;
$_SESSION['last_activity'] = time(); /
$_SESSION['expire_time'] = 2*60*60;
$_SESSION["user_id"]=$user_id;
$_SESSION["username"]=$username;
$_SESSION["accesslevel"]=10;
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
$proxy = $_SERVER["REMOTE_ADDR"];
$time = time();
header('Location: ../XXXX.php');
In above code I'm trying to establish 2hours of inactivity before session_destroy();. But when i check the cookie information in browser the expiry date is same as creation date.
Help me in extending the cookie time to achieve system idleness.
Image with the cookie inspector (Where it says "Fecha de caducidad" its the Expire date)
How to achieve this, guide me. Thanks in advance!
These settings have no effect after the cookie is created (session initialized)
ini_set("session.cookie_lifetime","7200");
ini_set("session.gc_maxlifetime","7200");
You have to check if session timed out:
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $_SESSION['expire_time'] )) {
session_destroy();
} // check last activity
$_SESSION['last_activity'] = time(); // update last activity time

How to set timeout for session?

Is there any way to set time limitation for session? It means that my application should log out after 1 hour through server settings not like coding level as below.
<?php
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 7200)) {
// last request was more than 120 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
?>
first, store the last time the user made a request
<?php
session_start();
$_SESSION['LAST_ACTIVITY'] = time();
?>
in subsequent request, check how long ago they made their previous request (30 minutes in this example)
<?php
if (isset($_SESSION['LAST_ACTIVITY']){
if ($_SESSION['LAST_ACTIVITY'] + 30 * 60 < time()) {
// session timed out
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
} else {
// session ok
}
}
?>
$timeout = 60*60;//1 hour
session_start();
if (!isset($_SESSION['sessionTime'])) {
$_SESSION['sessionTime'] = time() + $timeout;//first login, set timeout
} else {
if ($_SESSION['sessionTime'] < time()) {//over timeout, destroy session
session_unset();
session_destroy();
} else {
$_SESSION['sessionTime'] = time() + $timeout;//login in timeout, reset timeout
}
}
Cause the question was "not on coding level" => You could achieve this via php.ini and/or .htaccess by setting session.gc_maxlifetime and/or session.cookie_lifetime.
But coding-level is mor reliable and way mor fault-tolerant.
See the best answer of this Question for explanation.
For Detailed Explanation please go through this link : http://php.net/manual/en/function.session-set-cookie-params.php#96868
we can give via session parameters by giving the following command in php
<?php
// Here we start as usual
session_set_cookie_params('3600'); // 1 hour
session_start();
?>
Hope it helps thank you
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
/*
You can also use an additional time stamp to regenerate the session ID periodically to avoid attacks on sessions like session fixation:
*/
if (!isset($_SESSION['CREATED'])) {
$_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 1800) {
// session started more than 30 minutes ago
session_regenerate_id(true); // change session ID for the current session an invalidate old session ID
$_SESSION['CREATED'] = time(); // update creation time
}
//note that session.gc_maxlifetime should be at least equal to the life time of this custom expiration handler (1800 in this example).
description here

php and mysql send user to logout on time

When users login their online status is set to 1 when they logout its set back to 0, im trying to make it so after a certain amount of time of inactivity on the site they will be sent to logout.php, so I setup a field in my users table as last_activity as a timestamp. and have this code as a include on each page.
<?php
if (!isset($_SESSION['last_activity'])) {
// initiate value
$_SESSION['last_activity'] = time();
}
if (time() - $_SESSION['last_activity'] > 500) {
// last activity is longer then certain amount of time
header('Location: logout.php');
} else {
// update last activity timestamp
$_SESSION['last_activity'] = time();
}
?>
But right now as I have it, the last_activity field only updates when something on the users account is updated, also after the certain amount of time the user isn't logged out and I don't know why.
From automatic logout after 15 minutes of inactivity:
<?php
session_start();
$timeout = 10; // Set timeout minutes
$logout_redirect_url = "index.php"; // Set logout URL
$timeout = $timeout * 60; // Converts minutes to seconds
if (isset($_SESSION['start_time'])) {
$elapsed_time = time() - $_SESSION['start_time'];
if ($elapsed_time >= $timeout) {
session_destroy();
header("Location: $logout_redirect_url");
}
}
$_SESSION['start_time'] = time();
?>
Your code is right just at the top of the file you have to start the session with session_start()

Categories