I am creating a session when a user logs in like so:

$_SESSION[\'id\'] = $id;

How can I specify a timeout on that session of X minutes and then have it perform a function or a page redirect once it has reached X minutes??

EDIT: I forgot to mention that I need the session to timeout due to inactivity.

first, store the last time the user made a request

<?php
  $_SESSION[\'timeout\'] = time();
?>

in subsequent request, check how long ago they made their previous request (10 minutes in this example)

<?php
  if ($_SESSION[\'timeout\'] + 10 * 60 < time()) {
     // session timed out
  } else {
     // session ok
  }
?>

When the session expires the data is no longer present, so something like

if (!isset($_SESSION[\'id\'])) {
    header(\"Location: destination.php\");
    exit;
}

will redirect whenever the session is no longer active.

You can set how long the session cookie is alive using session.cookie_lifetime

ini_set(\"session.cookie_lifetime\",\"3600\"); //an hour

EDIT: If you are timing sessions out due to security concern (instead of convenience,) use the accepted answer, as the comments below show, this is controlled by the client and thus not secure. I never thought of this as a security measure.

Just check first the session is not already created and if not create one. Here i am setting it for 1 minute only.

<?php 
   if(!isset($_SESSION[\"timeout\"])){
     $_SESSION[\'timeout\'] = time();
   };
   $st = $_SESSION[\'timeout\'] + 60; //session time is 1 minute
?>

<?php 
  if(time() < $st){
    echo \'Session will last 1 minute\';
  }
?>

<script type=\"text/javascript\">
window.setTimeout(\"location=(\'timeout_session.htm\');\",900000);
</script>

In the header of every page has been working for me during site tests(the site is not yet in production). The HTML page it falls to ends the session and just informs the user of the need to log in again. This seems an easier way than playing with PHP logic. I\'d love some comments on the idea. Any traps I havent seen in it ?

<?php 
session_start();

if (time()<$_SESSION[\'time\']+10){
$_SESSION[\'time\'] = time();
echo \"welcome old user\";
}

else{
session_destroy();
session_start();
$_SESSION[\'time\'] = time();
echo \"welcome new user\";
}
?>

Byterbit solution is problematic because:

1. having the client control expiration of a server side cookie is a security issue.
2. if expiration timeout set on server side is smaller than the timeout set on client side, the page would not reflect the actual state of the cookie.
3. even if for the sake of comfort in development stage, this is a problem because it won\'t reflect the right behaviour (in timing) on release stage.

for cookies, setting expiration via session.cookie_lifetime is the right solution design-wise and security-wise! for expiring the session, you can use session.gc_maxlifetime.

expiring the cookies by calling session_destroy might yield unpredictable results because they might have already been expired.

making the change in php.ini is also a valid solution but it makes the expiration global for the entire domain which might not be what you really want - some pages might choose to keep some cookies more than others.

    session_cache_expire( 20 );
    session_start(); // NEVER FORGET TO START THE SESSION!!!
    $inactive = 1200; //20 minutes *60
    if(isset($_SESSION[\'start\']) ) {
$session_life = time() - $_SESSION[\'start\'];
if($session_life > $inactive){
    header(\"Location: user_logout.php\");
}
    }
    $_SESSION[\'start\'] = time();

    if($_SESSION[\'valid_user\'] != true){
    header(\'Location: ../....php\');
    }else{  

source: http://www.daniweb.com/web-development/php/threads/124500

<?php
session_start();
if($_SESSION[\'login\'] != \'ok\')
    header(\'location: /dashboard.php?login=0\');

if(isset($_SESSION[\'last-activity\']) && time() - $_SESSION[\'last-activity\'] > 600) {
    // session inactive more than 10 min
    header(\'location: /logout.php?timeout=1\');
}

$_SESSION[\'last-activity\'] = time(); // update last activity time stamp

if(time() - $_SESSION[\'created\'] > 600) {
    // session started more than 10 min ago
    session_regenerate_id(true); // change session id and invalidate old session
    $_SESSION[\'created\'] = time(); // update creation time
}
?>