How do I log out innactive users after 30 minutes?

Question

I am trying to log out inactive users. If they have not moved the mouse or typed in 30 minutes then they are automatically logged out and returned to the login screen. The logon details are stored in my database.

The login routine

<?php
require_once('includes/session.php');
    if (isset($_GET['logout']) and $_GET['logout'] == 1){
        logout();
    }
    //doublecheck status
    if (isset($_SESSION['user_id'])){
        $login = 1; $login_message = "Logged In";
    }else{
        $login = 0; $login_message = "Logged Out";
    }

include_once("../includes/masterinclude.php");
//include_once("../includes/functions_admin.php");


$preferences = getPreferences();
    $ip=$_SERVER['REMOTE_ADDR'];
    $message_login = "";

    if (isset($_POST['username']) and isset($_POST['password'])){
        $username = $_POST['username'];
        $password = $_POST['password'];
        $hashed_password = sha1($password);
        $u = Confirm_User($username, $hashed_password);
        if ($u == 1){
            $u = Get_User($username, $hashed_password);
            $_SESSION['user_id'] = $u->user_id;
            $_SESSION['username'] = $u->user_name;
            echo "<script type=\"text/javascript\">document.location.href=\"/home\";</script>";
        }else{
            $warning = "red";
            $message_login = "Login failed - Please try again";
        }
    }
?><head>



<form id="login" name="login" class="form-horizontal" method="post" action="_cms/login.php" _cms/style="display: block;">
            <div class="form-group" id="reauthorizeInner">
                <?php
                if($message_login != ""){
                    echo "<p><span class=\"message-error\">" . $message_login . "</span></p>";
                }else{
                    echo "<p class=\"message\">Please enter your username &amp; password</p>";
                }
                ?>
                <div class="input-group col-xs-12">
                    <input id="reauthuser" class="form-control" type="text" placeholder="Username.." name="username" value="username" onFocus="this.value=''" required="yes" message="You must enter a username">
                    <span class="input-group-addon">
                    <i class="icon-envelope-alt icon-fixed-width"></i>
                    </span>
                    </div>
            </div>
            <div class="form-group" id="reauthorizeInner">
                <div class="input-group col-xs-12">
                    <input id="reauthPassword" class="form-control" name="password" type="password" value="password" onFocus="this.value=''" required="yes" message="You must enter a password">

                    <span class="input-group-addon">
                    <i class="icon-asterisk icon-fixed-width"></i>
                    </span>
                </div>
            </div>
            <div class="clearfix">
                <div class="btn-group btn-group-sm pull-right">

                    <button class="btn btn-primary" id="submit" type="submit" onclick="document['login'].submit();">
                        <i class="icon-arrow-right"></i>
                        Login
                    </button>
                </div>
                <div class="make-switch pull-left" data-on="primary" data-off="danger"></div>
            </div>
        </form>

Session.php

    <?php
session_start();
if (isset($_SESSION['user_id'])){
    $login = 1;
}else{
    $login = 0;
}

function confirm_logged_in() {
    if (!isset($_SESSION['user_id'])) {
        //redirect
        header("Location: /_cms/login.php?login=0");
    }
}
function logout(){
        $_SESSION = array();
        if(isset($_COOKIE[session_name()])){
            setcookie(session_name(), '', time()-42000, '/');
        }   
        session_destroy();
}

?>

I know there is alot of code here but I have to include this otherwise people will not see the complexity of creating a logout timer for this. I have tried a few different methods and none of them work because of the way the login routine is wrong. Any help would be greatly appreciated!

Answer 1

Of course you could just use PHP's built-in session time-out, which by default kills the session after 30 mins of no activity anyway.

If you want it to stay alive while the user is moving the mouse (as opposed to actively making http requests), then you could have some code in your Javascript that sends an ajax 'ping' event triggered every so often by the mouse moving. The ajax ping doesn't need to even do anything, as long as it runs a dummy PHP script that references the session it'll be enough keep the session open. If the ping script isn't called for 30 mins, then the session will time-out.

So theres no real need to specifically call a log-out; just let the session expire.

(you'll need to have this happen anyway, to handle cases where the user closes his browser, or it crashes, or he loses network connection, etc; you don't want the session hanging around forever in those cases)

Answer 2

I would use some JS/jQuery and iddletimout library and combine it with your PHP code:

$.idleTimeout('#idletimeout', '#idletimeout a', {
        idleAfter: 300, //seconds
        onTimeout: function() {
           //some code
           window.location = "logout.php"; //This is your PHP logout page
        },
        onIdle: function() {
            //some code
        },
        onCountdown: function(counter) {
            //some code
        },
        onResume: function() {
            //some code
        }
    });

Answer 3

You need some JavaScript code which will count time and reset counter if some event happens. But if counter reach 30 minutes you'll have to do AJAX call which will log out that user - call that logout function of yours.