Help: logout after idle X minutes

[clown[NOR]]

i'm working on a login system.. and I was wondering... how's the best way to make sure the user get's automaticly logged out after, let's say 5 minutest idle?

 

i have a function called authUser() where I check cookies against the database... should I insert a code in there that sais somthing like this?

 

<?php

if ($dbField['logintime'] > strtotime(5 minutes ago)) {

// Delete all cookies and clear all login info in database

} else {

// Update the timestamp in the database.

}

?>

 

i'm not sure about the strtotime().. haven't used it to much, but from what I've read on this forum it should work...

and what type of timestamp should I use in the database? ... DATETIME or TIME?

 

Thanks In Advance

- Clown

[john010117]

I was wondering the same thing myself. I'm guessing for your situation, put that in a seperate file (let's say "session_check.php") and include/require it through all the secure pages.

[clown[NOR]]

well.. I have the authUser() function in a file called func_login.php and I run the authUser() function on top of every single file that is used in the admin area of the site... just in case someone tries to run the file directly, which means they're maybe trying to hack it....

[john010117]

If that's the case, then yes, it'll be wise to put that inside of that function.

[clown[NOR]]

ok... i'll try... but what type of timestamp should I use? DATETIME or just TIME?

[john010117]

Um, I think time would be fine...

[marf]

you could yes, have them be 'logged out' after 5 minutes, however they wouldn't actually KNOW they were logged out until they tried to visit another page or refresh. This is where AJAX script can come in. You can set a timer to check every so often, and then log them out after an amount of time they stay idle on one page.  Prototype has a timer ability that can do this.

[clown[NOR]]

hmm... sounds interesting... but I'm still learning php and mysql... so another language on top of this would confuse me but thanks for the info... I'll check it out when I feel safer on php and mysql

 

i do have another question tho... I change the logintime field to TIMESTAMP... and I use date("YmdHis") to update it... but it still appears as Y-m-s H:i:s in the database... why is that? is it supposed to do that or have I messed something up?

[trq]

Sessions already have this feature built in. Take a look at the session.cache-expire ini directive if you need to change the time.

 

Note, this can also be changed using ini_set.

[clown[NOR]]

thanks... yeah i'll look it up now

[clown[NOR]]

ok.. from what I understand... I can add something like this in my authorization code?

 

if (isset($_SESSION['idle']) {
$_SESSION['idle'] = "blabla";
session_catche_expire(5);
} else {
header("Location: login.php");
}

 

am i right?