At 10:26 AM -0400 9/14/10, Floyd Resler wrote:
We just got a client whose requirement is that user sessions expire after 30 minutes of inactivity. Our other clients are happy with not having their sessions expire during the work day (i.e. life is 8 hours). I am using a MySQL database to store the session data. My thought is to adjust the session expiration in the table based on the client currently logged in. Is this a good approach or would there be better ways to do it? And just to clarify: all clients use the same Web site.



I don't know how others solve this, but my solution is pretty straightforward (see code below).

I require this code for every script that is in the secured area. Simply put, if the user runs a script, then this script is also run.

As a result, if the user is not logged in they are directed to the login script. If the user is logged in, but has exceeded the expiration time due to inactivity, then the user is redirected to the same login script with a GET value to trigger the login script to report that they timed out due to inactivity.

I find it bad practice to tell a user that they are not logged in when they did log in. It's better to explain why they have to log on again.

Now, with respect to your storing the expiration time in the database, that could be done easily enough by this script accessing the database, getting, and setting the time-limit -- OR -- at the start of any logon have the script pull the time-limit from the database and store that value in a SESSION. Either way would work.

In any event, this is what I do.



========== code


$redirect = '';

// standard security

$secure = isset($_SESSION['security']) ? $_SESSION['security'] : 0;

if ($secure == 0) // if admin is not logged in -- then redirect to the admin logon

// timed security

$_SESSION['start'] = isset($_SESSION['start']) ? $_SESSION['start'] : 0;

$timelimit = 15 * 60; // 15 minutes
$now = time();

if($now > $_SESSION['start'] + $timelimit)
   $t = '?t=1';

$_SESSION['start'] = time();

// properly logged on pass here


<?php //============  log off  function =============
// to destroy the current session

function logOff()
   $_SESSION = array();

      setcookie(session_name(), '', time()-86400, '/');


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to