Home > Backend Development > PHP Tutorial > How to Reliably Expire a PHP Session After 30 Minutes of Inactivity?

How to Reliably Expire a PHP Session After 30 Minutes of Inactivity?

Barbara Streisand
Release: 2024-12-24 22:56:15
Original
369 people have browsed it

How to Reliably Expire a PHP Session After 30 Minutes of Inactivity?

How to Effectively Expire a PHP Session after 30 Minutes

While PHP provides options like session.gc_maxlifetime and session.cookie_lifetime for session expiration, they are not entirely reliable. Here's a comprehensive approach to implement your own session timeout mechanism.

Issues with PHP's Built-in Options:

  • session.gc_maxlifetime: It specifies when session data is considered "garbage" and cleaned up during session start. However, the garbage collector runs sporadically, with a default probability of only 1%, potentially leading to premature session termination.
  • session.cookie_lifetime: This option determines the lifetime of the session cookie sent to the browser. However, it does not invalidate the session itself, which remains the server's responsibility.

Implementing a Custom Session Timeout:

The most effective way to expire a session after a specific period of inactivity is to implement your own timeout mechanism. This involves maintaining a timestamp of the last activity (request) and updating it with each request. If the last activity was over 30 minutes ago, you can unset and destroy the session.

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset(); // unset $_SESSION variable for the run-time
    session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
Copy after login

By continuously updating the session data, you prevent the session file's modification date from being prematurely removed by the garbage collector.

Additional Security Measures:

To prevent attacks such as session fixation, you can periodically regenerate the session ID by updating the $_SESSION['CREATED'] timestamp:

if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 1800) {
    // session started more than 30 minutes ago
    session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
    $_SESSION['CREATED'] = time(); // update creation time
}
Copy after login

Notes:

  • Ensure session.gc_maxlifetime is set to a value at least equal to your custom expiration handler's lifetime (1800 in this example).
  • To expire the session after 30 minutes of activity instead of since start, use setcookie with an expire time of time() 60 * 30 to keep the session cookie active.

The above is the detailed content of How to Reliably Expire a PHP Session After 30 Minutes of Inactivity?. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Articles by Author
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template