code for session expire

renu-86 · 02-11-2010, 07:49 AM

i have got a login page with emAIL and password ..
can anyone suggest me a way to implement code for session to expire after 15 min when a peron is logged into the site if he is logged in for more than 15 min..

these are the two sessions in log in page .
$_SESSION['email']
$_SESSION['password']

below given is the code for log out page .

PHP Code:


			
<?php



session_start();

session_unregister('email');

session_unregister('password');

session_destroy();

?>

thank you... any help will be appreciated . . .

kieran491 · 02-11-2010, 08:14 AM

Hi there you may also want to recreate there session id with this simple command

PHP Code:


			
session_regenerate_id(true)

the true argument will also delete the old session but this must all be done before you start printing out to the user as the cookie has to be resent

renu-86 · 02-11-2010, 12:16 PM

thanks for the suggestion ..

can u pls make it more clear??

sitNsmile · 02-11-2010, 04:25 PM

Session_register, Session_unregister are going out of date, recommended that it not replied upon anymore.

http://php.net/manual/en/function.se...unregister.php

or logging out though, you can use something like this,

PHP Code:


			
session_start(); 

session_unset(); 

session_destroy();

renu-86 · 02-14-2010, 06:28 AM

what i want to do is , after logging in with username and password , user will be in a page ,, if he / she remains logged in for 15 min , i want it to be automatically logged out and come backk to main page ...

tried the above code , not working..

SKDevelopment · 02-14-2010, 07:34 AM

1) You could try to redirect after some time using the header refresh or an Meta tags. You could redirect to a special page which would log out the user. From that page you could redirect to the main page using the header Location.

2) I would not recommend to store the login and password in the session variables after the successful authentication. Usually they are not necessary any more after the authentication is passed. Also at some servers sessions could be badly configured so it could be possibly not really safe.

You could simply store some flag e.g. $_SESSION['login_success'] instead. If this flag is set and e.g. equal to 1, the user is logged in.

3) Advice given by Kieran491 to use session_regenerate_id() after successful authentication is also very good. It addresses session security (not redirect after 15 min) but the advice is good. Using this function helps to prevent session fixation attacks. Simply run this function after you have checked the user authentication was successful in your script (but before any output is sent by the script to the browser).

Please ask questions if something is not clear.