CODEWITHSUNDEEP
phpmysqllogout
jonlloyd
jonlloyd

Reputation: 81

Logout an inactive user using PHP

I am trying to log a user out of my CMS after a set amount of time. By inactive I mean has not clicked the mouse or typed on there keyboard. So after 30 minutes of inactivity my log out function is ran.

There is already a log out function built in to the CMS I am using - 

<?php
session_start();
if (isset($_SESSION['user_id'])){
    $login = 1;
}else{
    $login = 0;
}

function confirm_logged_in() {
    if (!isset($_SESSION['user_id'])) {
        //redirect
        header("Location: /_cms/login.php?login=0");
    }
}
function logout(){
        $_SESSION = array();
        if(isset($_COOKIE[session_name()])){
            setcookie(session_name(), '', time()-4200, '/');
        }   
        session_destroy();
}

?>

Someone else wrote this code and it works. However I don't know the exact time it takes to log out an inactive user. The preset time is - 4200. What I want to find out is how long that takes to logout and if I can change it to any time I want. Can anyone advise?

Upvotes: 1

Views: 1397

Answers (2)

Adon
Adon

Reputation: 345

The -4200 is just to destroy the cookie. Cookies are destroyed by setting a time in the past for them. So setting 4200 seconds backwards is just as effective as 1 second backwards.

To logout users there are multiple methods. You can have a your own cookie set with the last active time (set the time every time the user visits a page). At the beginning of each script include a function which gets this cookie and checks the value which should contain the last active time. If this time is older than your allowed inactive time, then destroy this cookie and destroy your session as well, if not, then update the value to the current time.

Of course, you can also store inside the session itself the last active time, which is a much more efficient way removing the overhead of cookie transfer and management.

EDIT

Below is a minimal code to check for the last active time and logout the user:

function login(){
    //check login username/pass etc...
    $_SESSION['last_active_time'] = time();
}

function auth(){
   if($_SESSION['last_active_time'] < (time() - 1800)){ //1800 is 30 minutes (time in seconds)
        logout(); //destroy the session in the logout function
    }
    else{
        $_SESSION['last_active_time'] = time();
    }
   //do some auth related things
}

That's the basic logic behind this. Of course you would need to implement other stuff you need along with security, checking, etc....

Upvotes: 1

Vinod Tigadi
Vinod Tigadi

Reputation: 859

I will try to answer your question and have some questions too.

  1. What CMS are you using? If you can name the CMS, we can provide detailed and accurate solution
  2. Regarding your function logout() and about the setcookie and -4200, whenever you call the function logout, it is checking if there is any coockie set. If yes, then it is just setting the EXPIRY TIME to 4200 seconds ago ie 7 minutes ago from current time. ie. It invalidates the Coockie which is present at present. Refer the link: http://php.net/manual/en/function.setcookie.php

  3. Now, what you want is that after 30 mins of inactivity, user should be logged out. Your current code is not built for that. You should write the logic to keep checking the last active time and should invoke the logout function if it is more than 30 mins. Now the question is, how to do? Am just modifying your code a bit

    if (isset($_SESSION['user_id'])){
    $login = 1;
    // If the user has performed action within 30 minutes
    if($_SESSION['last_active_on'] > (time() - (30*60))){
        $_SESSION['last_active_on'] = time();   // Re-set the current time as Last Active
    }else{
        // User has done some action after 30 minutes.
        logout();   // Invoke the Logout functionality
    }    
}else{
    $login = 0;
}

Remember: time() Returns the current time measured in the number of seconds since the Unix Epoch (January 1 1970 00:00:00 GMT).

You have not added your login function here. You should modify your login function and should add one more line in that as $_SESSION['last_active_on'] = time();

One more thing. All this can happen only if the requests are sent to the server. For example: Assume at 4:00 PM, due to some action, there was a server call. Assume at 4:25 you are moving your mouse cursor or clicking anywhere on the page, but if it doesn't send any request to server, then it is considered as in-active itself. And at 4:35 PM if the user does something where the request is sent to server [Normal request or Ajax], then as per the server, it is 35 mins inactive state, hence it will logout. Hope this answers your question.

You can even refer the SO question: User Inactivity Logout PHP It may also help you.

Upvotes: 0

Related Questions