Is there any way to set time limitation for session? It means that my application should log out after 1 hour through server settings not like coding level as below.
<?php
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 7200)) {
// last request was more than 120 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
?>
first, store the last time the user made a request
<?php
session_start();
$_SESSION['LAST_ACTIVITY'] = time();
?>
in subsequent request, check how long ago they made their previous request (30 minutes in this example)
<?php
if (isset($_SESSION['LAST_ACTIVITY']){
if ($_SESSION['LAST_ACTIVITY'] + 30 * 60 < time()) {
// session timed out
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
} else {
// session ok
}
}
?>
$timeout = 60*60;//1 hour
session_start();
if (!isset($_SESSION['sessionTime'])) {
$_SESSION['sessionTime'] = time() + $timeout;//first login, set timeout
} else {
if ($_SESSION['sessionTime'] < time()) {//over timeout, destroy session
session_unset();
session_destroy();
} else {
$_SESSION['sessionTime'] = time() + $timeout;//login in timeout, reset timeout
}
}
Cause the question was "not on coding level" => You could achieve this via php.ini and/or .htaccess by setting session.gc_maxlifetime and/or session.cookie_lifetime.
But coding-level is mor reliable and way mor fault-tolerant.
See the best answer of this Question for explanation.
For Detailed Explanation please go through this link : http://php.net/manual/en/function.session-set-cookie-params.php#96868
we can give via session parameters by giving the following command in php
<?php
// Here we start as usual
session_set_cookie_params('3600'); // 1 hour
session_start();
?>
Hope it helps thank you
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
/*
You can also use an additional time stamp to regenerate the session ID periodically to avoid attacks on sessions like session fixation:
*/
if (!isset($_SESSION['CREATED'])) {
$_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 1800) {
// session started more than 30 minutes ago
session_regenerate_id(true); // change session ID for the current session an invalidate old session ID
$_SESSION['CREATED'] = time(); // update creation time
}
//note that session.gc_maxlifetime should be at least equal to the life time of this custom expiration handler (1800 in this example).
description here
Related
In my web application, when i try to hit authentication service by passing username and password. Following is the code that handles authentication.
ini_set("session.cookie_lifetime","7200"); // 120 minutes
ini_set("session.gc_maxlifetime","7200"); // 120 minutes
session_start();
$_SESSION['logged_in'] = true;
$_SESSION['last_activity'] = time(); /
$_SESSION['expire_time'] = 2*60*60;
$_SESSION["user_id"]=$user_id;
$_SESSION["username"]=$username;
$_SESSION["accesslevel"]=10;
$ip = $_SERVER["HTTP_X_FORWARDED_FOR"];
$proxy = $_SERVER["REMOTE_ADDR"];
$time = time();
header('Location: ../XXXX.php');
In above code I'm trying to establish 2hours of inactivity before session_destroy();. But when i check the cookie information in browser the expiry date is same as creation date.
Help me in extending the cookie time to achieve system idleness.
Image with the cookie inspector (Where it says "Fecha de caducidad" its the Expire date)
How to achieve this, guide me. Thanks in advance!
These settings have no effect after the cookie is created (session initialized)
ini_set("session.cookie_lifetime","7200");
ini_set("session.gc_maxlifetime","7200");
You have to check if session timed out:
if (isset($_SESSION['last_activity']) && (time() - $_SESSION['last_activity'] > $_SESSION['expire_time'] )) {
session_destroy();
} // check last activity
$_SESSION['last_activity'] = time(); // update last activity time
I am creating a website with more than 10 different php files. I want to check if the user is inactive, starting from the login page. So, if a user logs in and remains idle for a specific period of time, it has to log that user out. I am new to PHP and am currently using an answer to similar question which is
if (isset($_SESSION["LAST_ACTIVITY"])) {
if (time() - $_SESSION["LAST_ACTIVITY"] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
} else if (time() - $_SESSION["LAST_ACTIVITY"] > 60) {
$_SESSION["LAST_ACTIVITY"] = time(); // update last activity time stamp
}
}
I found the answer here:
expire session when there is no activity in PHP
I have created a separate page called session.php and pasted the code in the above link. Then I included the file session.php in my login page (which checks for the credentials entered and logs a user in). The problem is, the if loop is not being run and I do not know how to define $_SESSION['LAST_ACTIVITY'] variable. I used the following in my login page:
$query = "SELECT *
FROM user_details
WHERE username = '$username'
AND password = '$password'";
$result = mysqli_query($dbconnect, $query);
$row = mysqli_fetch_array($result);
$count = mysqli_num_rows($result);
if ($count == 1) {
session_start();
echo "Welcome " .$username. "</br>";
$_SESSION['username'] = $username;
$login_time = time();
$_SESSION["LAST_ACTIVITY"] = $login_time ;
include('session.php');
I also tried including session.php at the beginning of the file but of no use. The problem is: time() - $_SESSION["LAST_ACTIVITY"] is being equalled to 0. How do I store last activity time and compare it with the current time? Also, should I include session.php in every other webpage file for the website to check user activity ? If yes, should I include it at the beginning or at the end ?
This code will solved your problem for session timeout.
<?php
// set timeout period in seconds
$inactive = 60; //after 60 seconds the user gets logged out
// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
$session_life = time() - $_SESSION['timeout'];
if($session_life > $inactive)
{
session_destroy();
header("Location: Logout.php");
}
}
$_SESSION['timeout'] = time();
?>
I'm currently working on a simple Authentification system and i'm using PHP Sessions.
In my header of every page i have a bit of PHP that does 3 things:
If the session last used time is older than 30 minutes it's destroyed
If the session last used time is older than 5 minutes it's regenerated
If the ips are not the same in the same session it's destroyed
However it doesn't seem to wok for the IP.
It gives me the error Undefined Index when i use isset to check if it is initialized or not.
session_start();
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
if (!isset($_SESSION['CREATED'])) {
$_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 900) {
// session started more than 30 minutes ago
session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
$_SESSION['CREATED'] = time(); // update creation time
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
//GET CHECK IP
if (!isset($_SESSION['ADDR'])) {
if ($_SESSION['ADDR'] != get_client_ip()){
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
}else {
$_SESSION['ADDR'] = get_client_ip();
}
echo "<pre>".print_r($_SESSION)."</pre>";
You are trying to say if $_SESSION['ADDR'] has not been set. Remove the negation operator !.
if (isset($_SESSION['ADDR'])) {
// code here
}
When users login their online status is set to 1 when they logout its set back to 0, im trying to make it so after a certain amount of time of inactivity on the site they will be sent to logout.php, so I setup a field in my users table as last_activity as a timestamp. and have this code as a include on each page.
<?php
if (!isset($_SESSION['last_activity'])) {
// initiate value
$_SESSION['last_activity'] = time();
}
if (time() - $_SESSION['last_activity'] > 500) {
// last activity is longer then certain amount of time
header('Location: logout.php');
} else {
// update last activity timestamp
$_SESSION['last_activity'] = time();
}
?>
But right now as I have it, the last_activity field only updates when something on the users account is updated, also after the certain amount of time the user isn't logged out and I don't know why.
From automatic logout after 15 minutes of inactivity:
<?php
session_start();
$timeout = 10; // Set timeout minutes
$logout_redirect_url = "index.php"; // Set logout URL
$timeout = $timeout * 60; // Converts minutes to seconds
if (isset($_SESSION['start_time'])) {
$elapsed_time = time() - $_SESSION['start_time'];
if ($elapsed_time >= $timeout) {
session_destroy();
header("Location: $logout_redirect_url");
}
}
$_SESSION['start_time'] = time();
?>
Your code is right just at the top of the file you have to start the session with session_start()
I have a single form for login for both admin and general users. I would like to time the sessions out after 30 minutes how would I amend my current code to do that?
<?php
session_start(); //Start the session
define(ADMIN,$_SESSION['username']); //Get the user name from the previously registered super global variable
if(!session_is_registered("admin")){ //If session not registered
header("location:../index.php"); // Redirect to login.php page
}
?>
Here is the code to clear the session for a specified time.
To clear the inactive session, you have to renew the session timeout every page.
Hope it helps.
For reference, http://bytes.com/topic/php/insights/889606-setting-timeout-php-sessions
session_start();
$timeout = 60; // Number of seconds until it times out.
// Check if the timeout field exists.
if(isset($_SESSION['timeout'])) {
// See if the number of seconds since the last
// visit is larger than the timeout period.
$duration = time() - (int)$_SESSION['timeout'];
if($duration > $timeout) {
// Destroy the session and restart it.
session_destroy();
session_start();
}
}
// Update the timout field with the current time.
$_SESSION['timeout'] = time();
Via the runtime configuration item session.cookie_lifetime or function session_set_cookie_params()
if ($_SESSION['timeout'] + 30 * 60 < time()) {
// 30 min timeout
}