Logging out after certain amount of time

Question

What would the best way be to logout a user from a PHP application (so basically just perform a redirect) after X seconds of inactivity? For "inactivity" I'd count the time of the last page load, and if the current time is more than X seconds away, perform the redirect.

Is this something that would need to be achieved with Javascript?

Answer 1

What if the user starts typing in the form on the page and hasn't finished by your time out period? I handle inactivity in another way than described in other answers so far.

var rowLockSeconds = 0;

function startRowLockTimer()
{
   setInterval("incrementRowLockTimer()",60000);
   $("input").keypress(function (e) { rowLockSeconds=0; }).click( function() { rowLockSeconds=0;  });
   $("textarea").keypress(function (e) { rowLockSeconds=0; }).click( function() { rowLockSeconds=0; ; });

   window.onbeforeunload = function obul() { if (hasChanged) { return 'You will lose any unsaved changes you\'ve made.'; } }
   window.onunload = clearRowLock;
}

So as they've logged in, the row lock timer starts at 0. Every 60 seconds it calls the interval function to see if it has timed out.

function incrementRowLockTimer()
{
rowLockSeconds = rowLockSeconds+60;

// 10 minute timer to clear someone out of a page if there has been no activity
if (rowLockSeconds >= 600)
{
    window.onbeforeunload=null;
    // clear rowLock with request here
    $.get('../ajax/rowLock-server.php?do=delete&rowLockID='+currentRowLockID+'&userUUID='+currentUserUUID, function() { 
        alert('You have been logged out of this page after 10 minutes of inactivity.');
        document.location.href='../main.php';
    });
}
}

The AJAX controls clear out the DB row lock.

The key is the input and textarea bindings so that if the user types anything into the form, the timeout is reset and they have another 10 minutes.

Answer 2

You can use just html meta tag:
<meta http-equiv="refresh" content="1000;url=buy.aspx">
put it in head
where 1000 is a time in sec and url is an url to redirect.

Answer 3

Do you really want a redirect for some reason?

Usually each user session has an associated timestamp. You then make sure the session hasn't expired for the user, or ask them to log in. So in effect, you're just making sure sessions are valid.

If you redirect someone to a logout page, you really are not achieving anything. You will also need to make sure the session has not timed out server side. Anything that is client side, including redirects to a logout page, is unreliable, and can be circumvented.

The simplest form in PHP:

<?php 

session_start();

$session_lifetime = 60*60; // 1 hour

if (!isset($_SESSION['time']) || !$_SESSION['time']) {
$_SESSION['time'] = time();
}

if (time() - $_SESSION['time'] > $session_lifetime) {
// session has expired
$_SESSION['user'] = null;
$_SESSION['time'] = null;
} else {
// keep session alive
$_SESSION['time'] = time();
}

Answer 4

Just answered this question yesterday... the OP wanted to ask after certain amount of time, it the user would like to stay logged in or not.

For a plain redirect without any confirmation, you can use a simple setTimeout call:

var minutes = 30;
setTimeout(function(){location.href = 'logout.php';}, minutes*60*1000);