Viewed   154 times

Possible Duplicate:
How do I expire a PHP session after 30 minutes?

I am destroying all session var in logout.php and calling it when user click on logout, what is user does not click on logout.php but directly close the browser. how can i delete session then???



You can set an expiration time for the session data, test it with each session_start call and destroy the session if it’s expired:

if (!isset($_SESSION['EXPIRES']) || $_SESSION['EXPIRES'] < time()+3600) {
    $_SESSION = array();
$_SESSION['EXPIRES'] = time() + 3600;
Tuesday, September 27, 2022

You can't detect when a user closes the browser or types in a new address. You basically need to have a "timeout" facility like the rest of the websites have.

Tuesday, December 27, 2022

You could set a cron job on the server to check for stale sessions But this is not a great solution since you have to deploy another solution (cron job) with your project. The way I would do it is have a check_credentials.php file included in your project that runs right after your DB connection, you will then add two fields in your users table for your projects users called: session_id AND last_checkin. The process will work like so:


  1. A session is created and a session_id can be retrieved from PHP on first hit (not logged in yet)
  2. If the user authenticates save the session_id to DB with current timestamp as last_checkin

Then you can have all the users do stale session checks at every page request:

Page Query:

  1. Delete session_id's from all users where last_checkin is older than 10min.
  2. Check if my current session_id = db.session_id
  3. If session don't match log out and send user to login.php
  4. if session_id's match then update last_checkin
Sunday, December 11, 2022

You can modify another users session (see below), although personally, I would recommend against it. As I imagine it can open up a whole world of session hijacking and other vulnerabilities.

With your example use case

A common user is logged, while in the same time an administrator uses the Admin functions and change some value for this user. If the value is not something obtained from the database every time, the session variable for that current logged in user need to have its value changed.

You would be better of updating the value in the database and then just checking to see if it's changed before you process the next page. If you don't want to be checking multiple user fields before each page load then when you update the user in the admin panel, you can build a hash of the values and add it to a new column called session_hash. Then just compare this field on page load

But if you still want to modify another user's session, you can set your current session_id to the targets.

// End my current session and save its id
$my_session_id = session_id();

// Modify our target session 
$_SESSION['is_logged_in'] = false;

// Start our old session again



Example Src:

Monday, December 5, 2022

Instead of setting the time in ini to a fixed length, remind that session timeout is reset on reload. So create some ajax code that does a request every 5 minutes or so to a file (image or smth). This way the timer is reset every 5 minutes and users can spend a day filling out your forms.

Saturday, November 5, 2022
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :