PHP auto-logout after 10 mins of inactivity

Question

Currently I'm tracking time spent by user on website using PHP code mentioned below:

if (!isset($_SESSION[timeset1]))
{
$one_val = time();
$_SESSION[timeset_dummy]= $one_val; 
$two_val = time()+1;
  $_SESSION[units_all] = array
  (
   "year"   => 29030400,
   "month"  => 2419200,
   "week"   => 604800,
   "day"    => 86400,
   "hr"   => 3600,
   "min" => 60,
   "sec" => 1
  );
}
else 
{
$two_val = time();
}
$diff = abs($two_val - $_SESSION[timeset_dummy]);

foreach($_SESSION[units_all] as $unit => $mult)
   if($diff >= $mult)
   {
    $output .= " ".intval($diff / $mult)." ".$unit.((intval($diff / $mult) == 1) ? ("") : ("s"));
    $diff -= intval($diff / $mult) * $mult;
   }

I want to give pop-up to users after 8 mins of inactivity that session will expire in next 2 mins. Can you please suggest how can I show pop-up (preferably without using Javascript, nice to have with CSS3 & HTML5) . Pop-Up will have warning message "Do you want to continue" and one button "Yes" , if button is not clicked for 2 mins automatically page logout script (PHP) will be executed.

Any pointers to to get this logic implemented.

Answer 1

This is quite easy with php session variable.

set $_SESSION variable with timestamp and check with the action time

<?php
session_start();
if(time()-$_SESSION['time']>600)
unset($_SESSION['time']);
else
$_SESSION['time']=time();//updating with latest timestamp
?>

Answer 2

if(time() - $_SESSION['timestamp'] > 900) { //15 minute subtract new timestamp from the old one
        $_SESSION['logged_in'] = false;
        session_destroy();
        header("Location: " . index.php); //redirect to index.php
        exit;
    } else {
        $_SESSION['timestamp'] = time(); //set new timestamp
    }

Answer 3

As far as I know, you cannot achieve what you are looking for without javascript. The browser needs javascript to know when to open the pop-up. You can use whatever means you want to check for timeout, either the basic window.setTimeout or a more advanced library (like the one in tehAon's answer).

Since I cannot post a comment I'm going to ask here: your code seems awfully complicated for checking if a user is still active. Is there any particular reason you could not use something like this:

$_SESSION['last_activity'] = time();

function check_if_logged_in() {
    if(time() - $_SESSION['last_activity'] > 600) { // 10 minutes but you could use 480 for 8 minutes
        // Do redirect or take other action here
    }
}

Answer 4

I found a jQuery plugin that looks like it will make your life easier. It is called jquery-idleTimeout.

The plugin has a few configuration items so you can customize it for your own needs…

• inactivity: 1200000 //20 Minute default (how long before showing the notice)
• sessionAlive: 300000, //5 minutes default how often to hit alive_url, we use for our ajax * interfaces where the page doesn’t change very often. This helps to prevent the logout screen of your app appearing in ajax callbacks. If you set this to false it won’t send off.
• alive_url: ‘/path/to/your/imHere/url’, //send alive ping to this url
• redirect_url: ‘/js_sandbox/’, //Where to go when log out
• click_reset: true, //Reset timeout on clicks (for ajax interface) – resets the sessionAlive timer, so we are not hitting up your app with alive_url if we just did an ajax call for another reason.
• logout_url: ‘/js_sandbox/timedLogout/index.html’ //logout before redirect (url so you can completely destroy the session before redirecting to login screen)

Here is a link to the github page to download the library.

https://github.com/philpalmieri/jquery-idleTimeout

Edit

Something I also noticed while looking at the source code, they are using jquery-ui as their stylesheet to make it look like it does in the demo.