I am a PHP beginner. I managed to create a user registration/signup system which leads to a dashboard panel. The users is logged in using sessions.
I have made a session time script also making the session expire after 30 minutes. But my question is how to make it expire only if the user is inactive, and suddenly if the user goes active, how to prevent it from expiring.
Here is my login code and dashboard code. Please help me out. Coded help would be much appreciated.
Thank you
# LOGIN CODE
$_SESSION['username'] = $username;
$_SESSION['emailAddress'] = $email;
$_SESSION['LoggedIn'] = 1;
$_SESSION['start'] = time(); // taking now logged in time
$_SESSION['expire'] = $_SESSION['start'] + (1 * 10) ;
header('Location: ../dashboard/');
# DASHBOARD CODE
session_start();
if(empty($_SESSION['LoggedIn']) && empty($_SESSION['username']))
{
echo "<script>location.href='session-expired.php'</script>";
}
elseif(!isset($_SESSION['LoggedIn']) && !isset($_SESSION['username']))
{
echo "<script>location.href='session-expired.php'</script>";
}
else
{
$now = time();
if($now > $_SESSION['expire'])
{
session_destroy();
echo "<script>location.href='session-expired.php'</script>";
}
else
{
?>
<!-- After all the html codes --!>
<?php
}
}
?>
I would recommend reading the excellent responses to this question: How do I expire a PHP session after 30 minutes?
But to sum up the ideas of that question (and actually answer your question):
Don't trust the php ini configurations, the automatic expiration doesn't run on every request and you don't want it to (it runs through every session on disk, not just the current one).
Don't update the $_SESSION['expire'] value from the start time. Update it from the current time. This makes it closer the actual behavior of "x period of inactivity".
You should always die or exit when your code is at an end. When you perform a redirect, you've made the decision that the current page is finished and you want a different page to take over the current request.
Try not to use <script>location.href=</script> for redirects. You should stick with the server side redirects you use in the login code like this: header('Location: ../dashboard/');. There are several reasons for this.
echo's or print's or dumps's or anything outside the <?php ?> tags. These all send data to the client and once that has started, you can't do certain things on the server. This leads to a very common problem experienced by php devs "headers already sent"The docs for [session_destroy][8] have this to say:
In order to kill the session altogether, like to log the user out, the session id must also be unset. If a cookie is used to propagate the session id (default behavior), then the session cookie must be deleted. setcookie() may be used for that.
They unhelpfully don't detail how to unset the session id, but it goes like this:
session_start();
session_unset();
session_destroy();
session_write_close();
// if using coookies
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
So I would do this for your # DASHBOARD CODE
session_start();
if(!isset($_SESSION['LoggedIn']) || empty($_SESSION['LoggedIn']) || !isset($_SESSION['username'] || empty($_SESSION['username']))
{
header("Location: /session-expired.php");
exit();
}
else
{
$now = time();
if($now > $_SESSION['expire'])
{
session_start();
session_unset();
session_destroy();
session_write_close();
// if using coookies
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
header("Locaiton: /session-expired.php");
exit();
}
else
{
$_SESSION['expire'] = $now + 10;
}
}
Also note:
time() uses seconds, since you mentioned you're new to PHP.time() also deals with the Unix epoch, so watch out for the year 2038.