php - TP3.2 user login timeliness issue

Question

Using tp3.2 for background management, I encountered a problem when doing user login.
1. After the background user logs in, it has always been valid. After leaving it for a whole afternoon, I closed the browser, and the user login status still exists. The user's expiration can only be realized when clicking logout.
The default session validity period that is not PHP is 1440 seconds (24 minutes). If the client does not refresh for more than 24 minutes, the current session will be recycled and invalid. Why is it always valid? Got it?

2. How to use tp to realize the timeliness issue of user login: when the user does not operate, it will automatically expire after a fixed period of time. How to achieve it.
My login part code:

        if(IS_POST){
            $uname=I('post.uname');
            $password=md5(I('post.password'));
            $res=M('manager')->where("uname='{$uname}'")->find();
            if(is_null($res)) {
                $this->error("用户名不存在");
                return false;
            }
            if($res['uname']==$uname&&$res['password']==$password){
                $_SESSION['uname']=$res['uname'];
                $_SESSION['expire']=time()+600;
                $this->success('登录成功',U('Rbac/Index/index'));
                exit();
            }
            $this->error("登录失败");
        }

The idea I looked at on Baidu is to use $_Session['expire'] to achieve it, but I don’t know where to put this code. Is it inappropriate to put it during login check? Where should I put it?

        //        设置用户登录session登录限制时间
        if(isset($_SESSION['expire'])){
            if($_SESSION['expire']<time()){
                unset($_SESSION['expire']);
                $this->error('登录过期,请重新登录','Rbac/Login/login');
            }else{
//                刷新时间戳
                $_SESSION['expire']=time()+600;
            }
        }

Answer 1

The principle is: set a timeout length, such as: 600, record the starting point of time when logging in, and check whether it times out every time the page is refreshed (actually the logic is: whether to log in - whether to time out - whether there is permission), if it times out, then It prompts "Login timeout, please log in again" and jumps to the login page. If it does not time out, it means that the user is still active, then reset the starting point of the timing $_SESSION['expire']=time() + 600.