Question
I'm using Drupal 6 for a program that does some e-payment work. Due to the fact that being logged in means that browser can access a users sensitive financial information I want to make sure it will timeout the session after an inactive period.
I tried using:
https://stackoverflow.com/questions/19190819
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russianini_set('session.cookie_lifetime', 600); //expire after 10 minutes of inactivity
However this logs the user out after 10 minutes regardless of whether they had any activity since login.
Is there a different setting to use or a way to modify this setting to make the session expire after inactivity rather than have a hard and fast lifetime length?
Solution
Drupal lets users to stay logged in until they log out. This may not seem logical to you, but it makes a lot of sense to people writing large posts, or willing to resume writing after a pause: they may get disappointed, if after a long day's work they submit their post and get an error because their session has expired.
That said, you may review the Automated logout module, which seems likely to help you with your application's requirements.
OTHER TIPS
You need to implement your own solution there is no reliable way of doing it by just changing settings. If you need more info check out this answer How do I expire a PHP session after 30 minutes?
Taken from top answer in that question:
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
// last request was more than 30 minutes ago
session_unset(); // unset $_SESSION variable for the run-time
session_destroy(); // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
Also you would want to set:
ini_set('session.cookie_lifetime', 0);
So that it never expires on it's own unless they close the browser.
