0

After 30 minutes the user should get logged out, but it seems the cache is keeping the user online for a couple of pages/clicks...

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    session_destroy();
    session_unset();
}

$_SESSION['LAST_ACTIVITY'] = time();

// regenerates the session ID periodically to avoid attacks on sessions
if (!isset($_SESSION['CREATED'])) {
    $_SESSION['CREATED'] = time();
} else if (time() - $_SESSION['CREATED'] > 1800) {
    session_regenerate_id(true); 
    $_SESSION['CREATED'] = time();
}

$ts = gmdate("D, d M Y H:i:s") . " GMT";
header("Expires: $ts");
header("Last-Modified: $ts");
header("Pragma: no-cache");
header("Cache-Control: no-cache, must-revalidate");
4

1 回答 1

1 
if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    session_destroy();
    session_unset();
}

这部分似乎有一个错字,其中 1800 之后的括号之一应该位于“大于”符号的前面:

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > 1800) {
    session_destroy();
    session_unset();
}
于 2013-05-15T12:42:51.423 回答