How to log user out due to inactivity

Question

Pure, server-side PHP. Every time a user submits a form, I update a 'last activity' time in the database.

I want to make a periodic check and force logout inactive users to free up licenses.

How would I do that? Should I also store the session Id in the database and then destroy the session? That would free up a license for another user and when the first finally submits another form I can check at the top of each form action file if the session still exists and redirect the user to the login page if necessary.

Would that work? is it the 'best' way? Any example code?

---

Update: I am polling because I need to know when the user timesout in order to update the database.

Answer 1

With each login, you need to keep track of the Session Start Time, which can be done like this:

$_SESSION['SessionStartTime'] = time();

With each user request to perform any operation, you need to run this script to monitor inactivity.

<?php
session_start();
$TimeOutMinutes = 15; // This is your TimeOut period in minutes
$LogOff_URL = "login.php"; // If timed out, it will be redirected to this page

$TimeOutSeconds = $TimeOutMinutes * 60; // TimeOut in Seconds
if (isset($_SESSION['SessionStartTime'])) {
    $InActiveTime = time() - $_SESSION['SessionStartTime'];
    if ($InActiveTime >= $TimeOutSeconds) {
        session_destroy();
        header("Location: $LogOff_URL");
    }
}
$_SESSION['SessionStartTime'] = time();
?> 

Answer 2

This problem is more difficult than it seems on the surface.

You need to consider the session behavior at three different levels:

• PHP
• database
• browser

PHP

For PHP, you'll need to set the session timeout to whatever you limit is. Here's some example code from php.net:

<?php
session_cache_limiter('private');
/* set the cache expire to 30 minutes */
session_cache_expire(30);    
session_start();
?>

Database

Sounds like you need to keep track of how many sessions are active so you can enforce your license. Since you're in PHP, you'll need to do this at the database level. Each request could write a "last request time" for the user (UPDATE users SET last_access=NOW() WHERE user_id=?), and then you can surmise that active sessions are the ones within the last 30 minutes.

Rather than "last access time", you can try to keep track of the active sessions, again in the database. I'm not exactly sure how this is best done in PHP. I think you can patch into the PHP's session deletion code. I believe it's possible to have it call a function when a session expires, but I haven't done this.

Browser

Javascript polling can be used, but is not necessary, as long as you have a server side timeout. Consider cases where the user turns off Javascript, or you have some Javascript error that causes script to stop running.

We have a very Ajax intensive site, so Javascript is important. A timeout might be discovered when the user does something as innocuous as open a panel on a page. I wrote up my recent experience here.