PhpHow-ToBeginner · 3 min read

How to Set Session Timeout in PHP: Simple Guide

To set session timeout in PHP, use ini_set('session.gc_maxlifetime', seconds) to define how long a session lasts, and set a custom timeout check using session variables. This controls when the session expires and forces logout after inactivity.

📐

Syntax

To set session timeout in PHP, you mainly use the ini_set function to adjust session.gc_maxlifetime, which defines the lifetime of session data in seconds. Additionally, you can track user activity time with session variables to enforce timeout.

ini_set('session.gc_maxlifetime', seconds): Sets how long session data is kept on the server.
session_start(): Starts the session or resumes the current one.
$_SESSION['last_activity']: Custom variable to store last user activity timestamp.

php

<?php
// Set session max lifetime to 1800 seconds (30 minutes)
ini_set('session.gc_maxlifetime', 1800);
session_start();

// Check if last activity is set
if (isset($_SESSION['last_activity'])) {
    // Calculate inactive time
    $inactive = time() - $_SESSION['last_activity'];
    if ($inactive > 1800) { // 1800 seconds = 30 minutes
        session_unset();     // Unset session variables
        session_destroy();   // Destroy session
        echo "Session expired due to inactivity.";
        exit;
    }
}

// Update last activity time
$_SESSION['last_activity'] = time();
?>

💻

Example

This example shows how to set a 5-minute session timeout. It starts a session, checks if the user has been inactive for more than 5 minutes, and destroys the session if so. Otherwise, it updates the last activity time.

php

<?php
// Set session timeout to 5 minutes (300 seconds)
ini_set('session.gc_maxlifetime', 300);
session_start();

if (isset($_SESSION['last_activity'])) {
    $inactive = time() - $_SESSION['last_activity'];
    if ($inactive > 300) {
        session_unset();
        session_destroy();
        echo "Session expired due to inactivity.";
        exit;
    }
}

$_SESSION['last_activity'] = time();
echo "Session is active.";
?>

Output

Session is active.

⚠️

Common Pitfalls

Common mistakes when setting session timeout include:

Not calling session_start() before accessing session variables.
Relying only on session.gc_maxlifetime without tracking user activity, which may not immediately expire sessions.
Forgetting to update the last activity timestamp on each request, causing premature session expiration.
Not configuring the server's garbage collection probability settings (session.gc_probability and session.gc_divisor), which affect session cleanup.

php

<?php
// Wrong: Not starting session before using $_SESSION
// $_SESSION['last_activity'] = time(); // This causes error

// Right way:
session_start();
$_SESSION['last_activity'] = time();
?>

📊

Quick Reference

Summary tips for setting session timeout in PHP:

Use ini_set('session.gc_maxlifetime', seconds) to set session lifetime.
Always call session_start() before working with sessions.
Track user inactivity with a session variable like $_SESSION['last_activity'].
Destroy session after timeout with session_unset() and session_destroy().
Adjust garbage collection settings if sessions do not expire as expected.

✅

Key Takeaways

Set session timeout by configuring 'session.gc_maxlifetime' with ini_set before session_start.

Track user inactivity using a session variable to enforce timeout accurately.

Always call session_start() before accessing or modifying session data.

Destroy sessions after timeout using session_unset() and session_destroy() to free resources.

Adjust PHP's garbage collection settings if session expiration does not behave as expected.