auto logout user after # mins of inactivity

Question

i have a client side jquery script that logs the user off after 5 mins of inactivity. The problem is though is the user navigates away without logging out the session stays active. If the user closes the browser shouldnt that destroy the session since sessions stay alive for the duration of the browsers being open or the user logs off?

anywho this is what i have

(function($){
    $(document).bind("idle.idleTimer", function(){
        document.location = "orders.php?action=logoff&session=timeout";
    });
    //var minute = 60000; //1 minute is 60,000 miliseconds.
    var minute = 300000; //5 minutes
    var timeout = minute;
    $.idleTimer(timeout);

})(jQuery);

how can i implement a server side if the user navigates away? I was thinking of using cron but then that would be not the right way (im thinking but then maybe im wrong)

i read this post User Inactivity Logout PHP

and i don't see how the session can still take effect if the user navigates away

Answer 1

All you need to do is add some code to your orders.php file.

What you need to do is have a few if statements checking for your $_GET variables of action and session.

If both of those requirements are met then you just need to destroy your session with session_destroy();

you can also redirect them to any page if you would like using header();

Answer 2

Sarmen, the easiest way is to use the php session garbage collection to suit your need:

http://www.php.net/manual/en/session.configuration.php#ini.session.gc-maxlifetime

300s will meet your requirement.

Answer 3

Navigating away necessarily doesn't expire the session, its closing the browser that does.

1. I would implement the check on the server side.
2. If the session is invalid, you should send down a 400 HTTP status code, which your JS code can use to identify that the user is no longer allowed to use the resource and hence redirect to the login page.
3. Set cookies expiry values to something that suits your application better.