How Can I Reliably Implement a 30-Minute PHP Session Expiration?

Implementing a PHP Session Expiration after 30 Minutes

Problem Statement:

Maintaining an active session for 30 minutes before terminating it.

Answer:

Relying solely on PHP's built-in session settings (e.g., session.gc_maxlifetime, session.cookie_lifetime) may not guarantee reliable session expiration. Instead, it's recommended to implement a custom expiration mechanism.

session.gc_maxlifetime:

• Determines the interval after which session data is considered "garbage" and subject to cleanup.
• However, the garbage collector is not guaranteed to run every time a session starts, resulting in potential delays in data removal.
• Furthermore, with the default session handler, session data may be removed based on file modification timestamps, leading to inconsistencies.

session.cookie_lifetime:

• Controls the expiration of the browser's session cookie, but does not directly influence server-side session validity.
• Setting this value to zero would create a true session cookie, expiring upon browser closure.

Custom Expiration Handler:

To ensure reliable session expiration, implement a custom expiration handler that uses a timestamp to track user activity.

Code:

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // Session inactive for over 30 minutes
    session_unset(); // Delete session data
    session_destroy(); // Terminate session
}
$_SESSION['LAST_ACTIVITY'] = time(); // Update timestamp

Additional Considerations:

• Set session.gc_maxlifetime to a value equal to or greater than the custom expiration interval (e.g., 1800 seconds).
• To expire the session based on activity time (rather than start time), use setcookie() to set the cookie's expiration 30 minutes after the last request.

The above is the detailed content of How Can I Reliably Implement a 30-Minute PHP Session Expiration?. For more information, please follow other related articles on the PHP Chinese website!