Posted by Gordon Burditt on 11/07/12 11:17

>I'm currently relying on logged-in users hitting "logout"
>(logoff) before they leave, in order to terminate the session.
>
>With PHP the session filename is in a cookie that lasts for the
>current session. The problem is that the server does not know
>when the current session expires. (I have quite long timeouts.)

Then keep track of the timeout yourself.
When the user logs in successfully, set $_SESSION['last_hit']
to the current time. When the user hits a page, check his
login INCLUDING that $_SESSION['last_hit'] being not too old.
If it is too old, redirect to the login page.

If the session is valid, and you want to count the timeout from
the last hit, not the time of login, set $_SESSION['last_hit']
to the current time.


>Did anybody attempt a script to automatically call "logout"
>when the session expires?

You can't send a page to the browser spontaneously.
You can invalidate the login. With the above procedure,
you don't have to actually DO anything to expire the session
at the time it expires, just check if it has expired at
each page hit.

Gordon L. Burditt

[Back to original message]