Adding a Login Session Timeout

[spacepoet]

Hi:

 

How do I set a password-protected page to time out after 20 minutes or so?

 

I thought it was doing it on the below page, but it is not working.

 

A tutorial I found online.

 

Login.php

<form name="form1" method="post" action="myLogin.php">

<input name="myUserName" type="text" size="40" id="myUserName">
<br /><br />
<input name="myPassword" type="password" size="40" id="myPassword">

</div>

<input type="submit" name="Submit" value="Login">

</form>

 

myLogin.php

<?php

ob_start();

// Connect to server and select database.
//mysql_connect("$host", "$username", "$password")or die("cannot connect");
//mysql_select_db("$db_name")or die("cannot select DB");

// Define $myUserName and $myPassword
$myUserName=$_POST['myUserName'];
$myPassword=$_POST['myPassword'];



// To protect MySQL injection (more detail about MySQL injection)
$myUserName = stripslashes($myUserName);
$myPassword = stripslashes($myPassword);

$myUserName = mysql_real_escape_string($myUserName);
$myPassword = mysql_real_escape_string($myPassword);


$sql="SELECT * FROM myAdmins WHERE myUserName='$myUserName' and myPassword='$myPassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myUserName and $myPassword, table row must be 1 row

if($count==1){
// Register $myUserName, $myPassword and redirect to file "a_Home.php"
session_register("myUserName");
session_register("myPassword");

header("location:a_Home.php");
}
else {

echo "


<html>

...

</html>
";
}

ob_end_flush();
?>

 

myCheckLogin.php (added to each page to see if the person logged-in via Login.php):

<?
session_start();
if(!session_is_registered(myUserName)){
header("location:Login.php");
}
?>

 

Any help would be great.

 

Thanks.

[saurabhx]

When a logged in user performs some action (like accessing one of the admin page or something), store the current time is a session variable or somewhere (eg: last_access_time). Then when the logged in user performs another action, check if it has been 20 minutes since the last recorded time stamp. If it has been more than 20 mins, logout the user. Or if it is not 20 mins yet, allow the action and update last_access_time with the current time.

 

By the way, your above code will not check for time out and also, the function session_is_registered is deprecated as of PHP 5.3.0. So use the $_SESSION super global instead.

[spacepoet]

Hi.

 

Thanks for the tip.

 

I found that online so just going with what was in the tutorial.

 

Is there a more "robust" example you can point me to?

 

I want to keep it as simple as possible but want to make it solid as well.

 

New to me so not always sure what to look for ...

[Daim]

You can always make use of an ordinary cookie, which you can set an expiry time for:

 

 

// Expires in 20 minutes
setcookie("TestCookie", $value, time()+1200);

[PaulRyan]

I, myself do the same as saurabhx, this is a foolproof method and stops people fiddling with the account.

 

You could also use a JavaScript timeout to log them out if the page has be stationary for 20 minutes, although this can be stopped if the user have JavaScript turned off, it's useful for people who don't have it turned off

 

Regards, PaulRyan.

[spacepoet]

Hi:

 

Thanks for all the tips.

 

For doing a "setcookie("TestCookie", $value, time()+1200);"

 

Is that something I add to the myCheckLogin.php page? Just like that?

 

Not to much experience with cookies but want to learn more.

 

Thanks!