How to insert timeout into login.php?

Question

This is my LOGIN.php:

require_once 'include/DB_Functions.php';
$db = new DB_Functions();

// json response array
$response = array("error" => FALSE);

if (isset($_POST['email']) && isset($_POST['password'])) {

    // receiving the post params
    $email = $_POST['email'];
    $password = $_POST['password'];

    // get the user by email and password
    $user = $db->getUserByEmailAndPassword($email, $password);

    if ($user != false) {
        // use is found

        $response["error"] = FALSE;
        $response["uid"] = $user["unique_id"];
        $response["user"]["name"] = $user["name"];
        $response["user"]["cognome"] = $user["cognome"];
        $response["user"]["email"] = $user["email"];
        $response["user"]["email2"] = $user["email2"];
        $response["user"]["numero_appartamento"] = $user["numero_appartamento"];
        $response["user"]["nome_edificio"] = $user["nome_edificio"];
        $response["user"]["zona_metropolitana"] = $user["zona_metropolitana"];
        $response["user"]["created_at"] = $user["created_at"];
        $response["user"]["updated_at"] = $user["updated_at"];
        header('Content-type: application/json');

        echo json_encode($response);
    } else {
        // user is not found with the credentials
        $response["error"] = TRUE;
        $response["error_msg"] = "Login credentials are wrong. Please try again!";
        echo json_encode($response);
    }
} else {
    // required post params is missing
    $response["error"] = TRUE;
    $response["error_msg"] = "Required parameters email or password is missing!";
    echo json_encode($response);
}

How can i insert a timeout of 30 minutes?

THANKS IN ADVANCE EVERYBODY!

@DanielDudas: OP probably wants to create a session after a successful login, and is asking how to set a TTL for said session — Elias Van Ootegem, Aug 18 '16 at 13:26
http://stackoverflow.com/questions/21807025/how-to-destroy-session-automatically-after-5-minutes-of-inactivity-on-website-in — Zain Farooq, Aug 18 '16 at 13:32
Possible duplicate of [How do I expire a PHP session after 30 minutes?](http://stackoverflow.com/questions/520237/how-do-i-expire-a-php-session-after-30-minutes) — Sherif, Aug 18 '16 at 13:43
@user6612196 - could you please stop editing all those exclamations into your post? — andrewsi, Aug 19 '16 at 01:15

score 0 · Answer 1 · edited Jun 20 '20 at 09:12

If you're relying on server-side sessions to keep the user logged in simply set your session TTL to 30 minutes to ensure that the user only remains logged in for no longer than 30 minutes of inactivity. This can be achieved using the session.gc_maxlifetime directive. Like ini_set('session.gc_maxlifetime', 1800), but make sure you set the session.cookie_lifetime to a value equal to or higher than the session.gc_maxlifetime and also make sure you read the manual carefully about some gotchyas when changing session.gc_maxlifetime values for multiple sessions in the same path.

A few more important notes about your code

I notice you're looking up the user supplied password in your database directly, which indicates that you are storing a plain-text password. You really must hash user passwords before storing them in your database using something like password_hash, for example. This is very important in storing user passwords.

How to insert timeout into login.php?

1 Answers1

A few more important notes about your code