How to close an authenticated session correctly, due to inactivity or closing the browser by the user.
We will see how to close the user session when:
- User idle time exceeds “x” amount of time (seconds, minutes, etc…).
- The user closes the browser and completely leaves our site.
PHP Idle Logout – Data Control Module
Something that may seem very obvious to some and very complex to others, but undeniably many of us have asked ourselves at some point: How to expire a session in PHP?
Now we will see how simple it is. We will only have to:
- Create a new session that saves a date and time
- Check in our security layer the time elapsed between the saved session and the current time
- Update the session or destroy it as appropriate
The first thing we must do then is create the new session and assign it the current time as a value. We will do this at the time the user enters the system with their access data.
// see if the username and password is valid
if ($_POST==”miguel” && $_POST==”qwerty”){
//valid username and password
session_name(“loginUser”);
//I assign a name to the session to be able to save different data
session_start();
// start the session
$_SESSION= “YES”;
//define the session that shows that the user is authorized
$_SESSION= date(“Ynj H:i:s”);
//set the login date and time in yyyy-mm-dd hh:mm:ss format
header(“Location: application.php”);
} else {
//if it doesn’t exist, I’ll send it back to the front page
header(“Location: index.php?usererror=yes”);
}
?>
PHP inactivity logout: security module
The second step will be to check the time elapsed between the saved date and the current time in our security layer and act accordingly.
To do this, we will have to perform a very simple calculation:
elapsed time = (current time – saved date)
And then, it will remain to know if the elapsed time is greater, less or equal to the expiration time of the session (represented as “x”):
if (elapsed time >= x), I act accordingly to what was found
To carry out these calculations we will use the second as the unit of time. In our example, we will time out the session, after 10 minutes of inactivity (where: 10*60 = 600 seconds). To carry out these calculations and take the second as the unit of measurement, it will be necessary to convert the dates to seconds. To do this, we will use the strtotime function.
Therefore, we will calculate the elapsed time (elapsed time = (current time – saved date)) as follows:
// start the session
session_name(“loginUser”);
session_start();
//before doing the calculations, check that the user is logged in
//we use the same script as before
if ($_SESSION != “IF”) {
//if you are not logged in I send you to the authentication page
header(“Location: index.php”);
} else {
// if not, calculate the elapsed time
$saveddate = $_SESSION;
$now = date(“Ynj H:i:s”);
$elapsed_time = (strtotime($now)-strtotime($saveddate));
//compare the elapsed time
if($elapsed_time >= 600) {
// if 10 minutes or more have passed
session_destroy(); // destroy the session
header(“Location: index.php”); // send the user to the page authentication
//if not, update the date of the session
} else {
$_SESSION = $now;
}
}
?>
Facebook Comments
Disqus