Set a time limit on a login session (PHP)

Session variables are used to control access to restricted pages. The Dreamweaver Log In User server behavior creates two session variables, $_SESSION['MM_Username'] and $_SESSION['MM_UserGroup'], that the Restrict Access to Page server behavior checks before letting anyone view the page.

All that's necessary to prevent someone from accessing a page after a period of inactivity is to create another session variable to keep a record of the last time a page was accessed after logging in. Each time a restricted page is requested, check the time of the last activity. If it's older than the time limit you have set, clear the session array, and redirect the user to another page.

Add the following code at the top of every restricted page:

<?php
// create a session 
if (!isset($_SESSION)) {
  session_start();
}

// store the current time
$now = time();

// get the time the session should have expired
$limit = $now - 60 * 20;

// check the time of the last activity
if (isset ($_SESSION['last_activity']) &&
$_SESSION['last_activity'] < $limit) {
  // if too old, clear the session array and redirect
  $_SESSION = array();
  header('Location: http://www.example.com/expired.php');
  exit;
} else {
  // otherwise, set the value to the current time
  $_SESSION['last_activity'] = $now;
}
?>

This stores a current timestamp in $now, and sets the value of $limit to $now minus the time limit. PHP timestamps are calculated in seconds. To set the time limit at 20 minutes, calculate the number of seconds in 20 minutes ( 60 * 20) and deduct the result from $now.

Multiplication takes precedence over subtraction, so there is no need to wrap 60 * 20 in parentheses, but if you want to make the code look clearer, you can change the calculation to look like this:

$limit = $now - (60 * 20);

Either way, the result is the same: $limit now contains a timestamp representing when the session should have expired.

Now you can compare the time limit with the session variable that keeps a record of the time of the most recent activity. If the user has only just logged in, the session variable won't yet exist, so the conditional statement begins by testing for its existence. If it does exist, and its value is less than the time limit, it means the last activity must have been more than 20 minutes ago. $_SESSION is set to an empty array, deleting any values stored in the current session, and the user is redirected to another page.

On the other hand, if $_SESSION['last_activity'] doesn't exist, or if it's greater than the time limit, its value is set to the current time.

As long as the user accesses a restricted page within the time limit, $_SESSION['last_activity'] will be constantly updated to the current time, keeping the session alive.