This code works perfectly when user press refresh after 30 sec of page inactivity, but i need some code to automatic destroy sassion and refresh page after 30 seconds of inactivity.
<?php
$inactive = 30;
ini_set('session.gc_maxlifetime', $inactive);
session_start();
if (isset($_SESSION['testing']) && time() - $_SESSION['testing'] > $inactive) {
session_unset(); // unset $_SESSION variable for this page
session_destroy(); // destroy session data
echo "<br><br>Sorry, you can't go any further!!!";
echo "<br>Please log in.";
echo "<br/><a href='index.php'>Go back to login page</a>";
}else{
//Here is some code to do when the session is still active
}
$_SESSION['testing'] = time();
?>
There are a few ways to approach this depending on how you want the user to be notified - if you simply want the page to be reloaded after the time has expired - this will work:
<meta http-equiv="refresh" content="30" >
if placed in the head tag of the page - basically this will cause the page to refresh after 30 seconds - which will cause your PHP code to execute again, which will produce the effect you want.
If you want a better user experience - i.e. not making the page just refresh but giving the user some kind of warning / prompt that something is about to expire - you need to use javascript - something like this would work (inside of a script tag on your page):
setTimeout(runAfterThirty, 30000);
function runAfterThirty() {
alert("Your session expired - I am going to refresh the page now");
location.reload();
}
inside of your function, you could put anything you want - you would most likely want something that changes the page rather than refreshes it.
Either way, the page is refreshed by the javascript, which means that your PHP code can execute. You should destroy the session with PHP.
You can achieve this slightly differently if you wish - by calling an AJAX request that will hit a page that is designed to destroy the session - however it looks like, based on your code - this is not needed - however an approach that used AJAX would mean the user's page did not need to refresh - the logic would be like this:
1) The page has some javascript code that calls a function after the time limit has expired (see above code) - that function then makes an AJAX request off to another page 2) The other page invalidates the php session 3) the calling page shows some kind of error / message to the user stating that they have timed out
If however you want to timeout after true user inactivity you need this: Detecting idle time in JavaScript elegantly, however i don't believe these solutions at 100% fool proof (they will break totaly on mobile for instance)
NOW - if you want to use the above link - you WILL NEED ajax - as your current code will not work - basically (and i am not going to write you an AJAX tutorial here) - you need to use javascript to work out when your timeout is reached (using the above SO link) AND THEN hit the server and tell it to invalidate the session (read this tutorial for more information http://www.w3schools.com/ajax/)
Note that you need to decide what to do when a user does not invalidate a session via ajax but refreshes the page - that is to say, a user could block all ajax requests from their browser - meaning that they never self-invalidated the session even if they are inactive - you would however maybe want the server to timeout the session after 3 mins or something? this is all app design stuff.