How to change the session timeout in PHP?

In PHP, sessions are maintained to check if the user is active. When the user becomes inactive and the user forgets to logout from the web page, there is a chance of other users viewing the page causing security breach. By default, a session in PHP gets destroyed when the browser is closed. Session timeout can be customized, to make the user’s page inactive after a fixed time.

Starting session: The PHP, session_start() function is used to start a session in the web page.

Syntax:

session_start();

Session varibales: After the start of the session, session variables can be created for future use. Session varibales can be created and the values can be stored in those variables as follows:

Syntax:



  • Creating session variable with variable name ‘var1’ and assigning the value of ‘5’ to it can be done as:
     $_SESSION['var1']=5;
  • Assigning a variable to a session variable can be done as:
    $username="John";
    $_SESSION['username']=$username;
    

Destroying session variables and session: To remove all session variables that are initialized before destroying the session, the following command should be used:

Syntax:

  • To destroy the certain session, the following command should be used:
    session_unset();
  • To destroy the complete session, the following command should be used:
    session_destroy();

Changing session timeout: Considering there’s a login page with the ‘Login’ button in an HTML form. When the user clicks on the ‘Login’ button, session starts and session variables are set. A session variable to store the time of login is initialized. It is then directed to the home page of the user.

  • Login page:
    filter_none

    edit
    close

    play_arrow

    link
    brightness_4
    code

    <?php 
      
    // Session starts
    session_start(); 
    $username = $_POST["username"];
      
    if(isset($_POST["Login"])) {
      
        // Session Variables are created
        $_SESSION["user"] = $username;   
      
        // Login time is stored in a session variable
        $_SESSION["login_time_stamp"] = time();  
        header("Location:homepage.php");
    }
    ?>

    chevron_right

    
    

On the home page, to maintain the session, the session_start() function is called. This enables us to retrieve session variables from this page. Using time() function, the current time can be calculated. The difference between the current time and the session variable created at the time of login should not exceed the desired timeout. When the duration exceeds, the session is destroyed and the page is redirected to the Login page.

Like if the Session timeout=10 minutes. The session should automatically destroy after 10 minutes = 10*60 seconds = 600 seconds

  • Home Page:
    filter_none

    edit
    close

    play_arrow

    link
    brightness_4
    code

    <?php 
      
    session_start();
      
    // To check if session is started.
    if(isset($_SESSION["user"])) 
    {
        if(time()-$_SESSION["login_time_stamp"] >600)  
        {
            session_unset();
            session_destroy();
            header("Location:login.php");
        }
    }
    else
    {
        header("Location:login.php");
    }
    ?>

    chevron_right

    
    




My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.