PHP session timeout script [duplicate]

2019-04-16 08:23发布

站内问答 / PHP
1173 4 3

This question already has an answer here:

I have this code that logs a user out if they don't change pages for 10 minutes.

$inactive = 600;

if(isset($_SESSION['timeout']) ) {
  $session_life = time() - $_SESSION['timeout'];
  if($session_life > $inactive) { 
    header("Location: logout.php"); 
  }
}

$_SESSION['timeout'] = time();

As you can see it's pretty straightforward. I include this function at the top of all my protected pages and if the script isn't run for 10 minutes, the next time you refresh the page, the user is sent to my logout script.

However that's the problem. After $session_life > $inactive becomes true, the script needs to be run again for the user to be logged out. I need the person to be immediately logged out as soon as this becomes true.

Is there any way to do this without things getting too complicated? (i.e. not using AJAX)

4条回答
别忘想泡老子
2楼-- · 2019-04-16 08:54

I've got an idea that I tested and it works on my server setup - it uses linux calls to set up a delayed removal of the session file. This is purely server-side and kills the session exactly when it should. You must have permissions to run shell commands though.

$inactive = 600;

# if there is a delayed removal - cancel it
if (isset($_SESSION['pid'])) shell_exec('kill -9 '.$_SESSION['pid']);

# compose path to session file
$sesspath = session_save_path().'/sess_'.session_id();

# set up a delayed removal to destroy the session after $inactive seconds and
# get its PID
#
# you can put whatever command you like inside the single quotes (call a logout
# php script perhaps?)
$_SESSION['pid'] = shell_exec("nohup sh -c 'sleep $inactive && rm $sesspath' > /dev/null & echo $!");
查看更多
0人赞 添加讨论(0) 举报
ゆ 、 Hurt°
3楼-- · 2019-04-16 08:55

I'd include a meta refresh in the header of the page, and check how long it's been since the page was output. Some simple server side logic can accomplish that.

查看更多
0人赞 添加讨论(0) 举报
女痞
4楼-- · 2019-04-16 08:58

No. Your PHP code runs on every request. If you want the timeout to trigger "immediately" then you have to either spam the server with continuous requests (bad idea) or move the timeout logic to client-side code.

An appropriate solution could be to start a Javascript timer when the page loads and redirect the user to the logout page when the timer expires. If the user navigates to another page in the meantime the current timer would be discarded automatically and a new one started when that page loads. It can be as simple as this:

<script type="text/javascript">
    setTimeout(function() { window.location.href = "logout.php"; }, 60 * 10);
</script>

Update: Of course, you should also keep the server-side code to enforce the business rule on your own side. The Javascript will give you an "optimal" scenario when the client side cooperates; the PHP code will give you a guarantee if the client side works against you.

查看更多
0人赞 添加讨论(0) 举报
虎瘦雄心在
5楼-- · 2019-04-16 09:12

You can do it by subtrcting the current time say time(); to the time you want. try this link.

How do I expire a PHP session after 30 minutes?

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(3)