How to Reliably Expire a PHP Session After 30 Minutes of Inactivity?

How to Effectively Expire a PHP Session after 30 Minutes

While PHP provides options like session.gc_maxlifetime and session.cookie_lifetime for session expiration, they are not entirely reliable. Here's a comprehensive approach to implement your own session timeout mechanism.

Issues with PHP's Built-in Options:

• session.gc_maxlifetime: It specifies when session data is considered "garbage" and cleaned up during session start. However, the garbage collector runs sporadically, with a default probability of only 1%, potentially leading to premature session termination.
• session.cookie_lifetime: This option determines the lifetime of the session cookie sent to the browser. However, it does not invalidate the session itself, which remains the server's responsibility.

Implementing a Custom Session Timeout:

The most effective way to expire a session after a specific period of inactivity is to implement your own timeout mechanism. This involves maintaining a timestamp of the last activity (request) and updating it with each request. If the last activity was over 30 minutes ago, you can unset and destroy the session.

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset(); // unset $_SESSION variable for the run-time
    session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp

By continuously updating the session data, you prevent the session file's modification date from being prematurely removed by the garbage collector.

Additional Security Measures:

To prevent attacks such as session fixation, you can periodically regenerate the session ID by updating the $_SESSION['CREATED'] timestamp:

if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 1800) {
    // session started more than 30 minutes ago
    session_regenerate_id(true); // change session ID for the current session and invalidate old session ID
    $_SESSION['CREATED'] = time(); // update creation time
}

Notes:

• Ensure session.gc_maxlifetime is set to a value at least equal to your custom expiration handler's lifetime (1800 in this example).
• To expire the session after 30 minutes of activity instead of since start, use setcookie with an expire time of time() 60 * 30 to keep the session cookie active.

The above is the detailed content of How to Reliably Expire a PHP Session After 30 Minutes of Inactivity?. For more information, please follow other related articles on the PHP Chinese website!