Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

yougotnet's avatar

Session Timeout vs Login Timeout

I'm having issue where the Session variables have timed out but the user is still logged in.

What is the best approach for solving this to ensure the Session variables are always available as log as they are logged in?

0 likes
9 replies
sr57's avatar

still logged in

... but is sleeping :-)

  • increase the session TO
  • popup / sound to alert / wake up the user

PS : Login TO?

jlrdw's avatar

The user should be redirected to the login page if the session is timed out, that is once they attempt to do something would be the normal behavior.

yougotnet's avatar

If I set a session variable when they login, is there any way, except manually, that variable could disappear and still be logged in?

sr57's avatar

still be logged in?

-1- How do you check this ?

-2- Check this and your session variable in the same time and you should conclude ...

jlrdw's avatar

In your .env or config\session.php increase the session lifetime if needed, default is 120 minutes.

But really people should log out.

yougotnet's avatar

The session timeout is at the default of 120 minutes; but after 120 minutes the user will clicks an option and the routing doesn't send them to the login page but to the requested page, this is where the session variable doesn't exists. The session variable is a custom variable; the system thinks the user is still active but the session variables are gone.

Very confusing. I alway thought they were one in the same.

jlrdw's avatar

They are the same, they're being sent to a stagnant page for example if they try to do something that requires Authentication then they will be redirected to login page.

Snapey's avatar

session duration IS what controls the user's log in state. They cannot be logged in and not have a valid session, although they could be on a page that looks like they are logged in but they are not doing anything with it.

If the user clicks on a link and is directed to the page then you are not correctly protecting the route.

Snapey's avatar

Just a thought.

If the user has Remember Me checked when they click on the protected route they will be logged in automatically behind the scenes and sent to the requested page.

If you are setting the session variable as part of the login process then you need to consider the remember-me scenario. In this case you should set the session on Login event not the controller.

Please or to participate in this conversation.