How to Effectively Expire a PHP Session after 30 Minutes
While PHP provides options like session.gc_maxlifetime and session.cookie_lifetime for session expiration, they are not entirely reliable. Here's a comprehensive approach to implement your own session timeout mechanism.
Issues with PHP's Built-in Options:
Implementing a Custom Session Timeout:
The most effective way to expire a session after a specific period of inactivity is to implement your own timeout mechanism. This involves maintaining a timestamp of the last activity (request) and updating it with each request. If the last activity was over 30 minutes ago, you can unset and destroy the session.
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) { // last request was more than 30 minutes ago session_unset(); // unset $_SESSION variable for the run-time session_destroy(); // destroy session data in storage } $_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
By continuously updating the session data, you prevent the session file's modification date from being prematurely removed by the garbage collector.
Additional Security Measures:
To prevent attacks such as session fixation, you can periodically regenerate the session ID by updating the $_SESSION['CREATED'] timestamp:
if (!isset($_SESSION['CREATED'])) { $_SESSION['CREATED'] = time(); } else if (time() - $_SESSION['CREATED'] > 1800) { // session started more than 30 minutes ago session_regenerate_id(true); // change session ID for the current session and invalidate old session ID $_SESSION['CREATED'] = time(); // update creation time }
Notes:
The above is the detailed content of How to Reliably Expire a PHP Session After 30 Minutes of Inactivity?. For more information, please follow other related articles on the PHP Chinese website!