At 10:26 AM -0400 9/14/10, Floyd Resler wrote:
We just got a client whose requirement is that user sessions expire
after 30 minutes of inactivity. Our other clients are happy with
not having their sessions expire during the work day (i.e. life is 8
hours). I am using a MySQL database to store the session data. My
thought is to adjust the session expiration in the table based on
the client currently logged in. Is this a good approach or would
there be better ways to do it? And just to clarify: all clients use
the same Web site.
I don't know how others solve this, but my solution is pretty
straightforward (see code below).
I require this code for every script that is in the secured area.
Simply put, if the user runs a script, then this script is also run.
As a result, if the user is not logged in they are directed to the
login script. If the user is logged in, but has exceeded the
expiration time due to inactivity, then the user is redirected to the
same login script with a GET value to trigger the login script to
report that they timed out due to inactivity.
I find it bad practice to tell a user that they are not logged in
when they did log in. It's better to explain why they have to log on
Now, with respect to your storing the expiration time in the
database, that could be done easily enough by this script accessing
the database, getting, and setting the time-limit -- OR -- at the
start of any logon have the script pull the time-limit from the
database and store that value in a SESSION. Either way would work.
In any event, this is what I do.
$redirect = 'http://yourdomain.com/admin/logon.php';
// standard security
$secure = isset($_SESSION['security']) ? $_SESSION['security'] : 0;
if ($secure == 0) // if admin is not logged in -- then redirect to
the admin logon
// timed security
$_SESSION['start'] = isset($_SESSION['start']) ? $_SESSION['start'] : 0;
$timelimit = 15 * 60; // 15 minutes
$now = time();
if($now > $_SESSION['start'] + $timelimit)
$t = '?t=1';
$_SESSION['start'] = time();
// properly logged on pass here
<?php //============ log off function =============
// to destroy the current session
$_SESSION = array();
setcookie(session_name(), '', time()-86400, '/');
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php