I have searched extensively, and although I have found many questions regarding managing PHP sessions expiration times, I have found none dealing with my proposed method. I have working code, but wanted to pass it by this community to see if there are any unforeseen issues or potential exploitations. Thanks in advance for your feedback.
Essentially, once the shopping cart session is set, the page would begin to refresh every 10 minutes of inactivity. Once the total elapsed time (since session was set) exceeds 30 minutes, the user would be redirected to a page that destroys all sessions.
if (isset($_SESSION["shopping_cart"])) {
echo '<meta http-equiv="refresh" content="600" />';
if (!isset($_SESSION['timer'])) {
$_SESSION['timer'] = time();
}
$now = time();
$elapsed = $now - $_SESSION['timer'];
if ($elapsed > 1800) {
header('Location: session_reset.php');
exit();
}
}
I don't see a problem with your code it checks every 10 minutes to see if the session time has exceeded 30 minutes and if it has redirects to kill the session.
Not sure why you would want to do this though? perhaps store the users basket in a cookie or local storage then kill the session and leave a notice - hey user sorry your session timed out but never fear we have saved your basket here ....