Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.
User shoud be auto loggedout if no activity in 10 minute. this is not for all users ,this is only for specific role users , how can i do this?.
Thanks in advance.
Yeah you can do that. If you set the session engine for authentication to database you get a user_id as well in your database for that session. With that you can then delete that session from the database. On the next request of the user it will be logged out, because the session is gone.
This might help as well: https://laravel.com/docs/5.7/authentication#logging-out
As Bobby says, but expect some complaints. The user will not be aware that their session has been killed until they try to post the form they have been working on and get an error page.
So has anybody found a good solution for an inactivity logout that redirects back to the login page (or similar) so the user can tell that they're no longer logged in? The only (totally untested) idea I can come up with is to have a javascript timer that does an Ajax call to a route that logs the user out and then loads the desired logged out page.
I have no idea if this will work but before I head down that path I thought I'd check if there were any better ideas floating around.
@LORENLANG - I don't think there's a straightforward way to do this at the moment.
@lorenlang Bear in mind that if you have two tabs open, you might be logged out whilst happily working in one tab and ignoring the other.
<meta http-equiv="refresh" content="900;url=logout.php" />
then what is
'lifetime' => 600,
in session.php file?
@amirhazz How would that achieve what the OP is wanting, which is based on the users role?
Having javascript timers or meta refreshes won't work well when 2 tabs are open.
Is the user "inactive" if it is not hitting the server in 10 minutes? What about storing the current timestamp in the session of the user. On each page request you check if the last saved timestamp was more than 10 minutes ago. If so: logout user and redirect. If not: update the timestamp.
You could easily do this with a middleware and a check on the role of the user.
@click Web sockets would likely solve the multiple-tabs problem.
It's true that multiple tabs that share the session will always prove to be a problem. But if you don't care about that, I've got a basic version of this working. (Note: This is adapted from https://arjunphp.com/detect-user-is-active-or-idle-on-web-page-using-jquery so credit where credit is due.) Put this code into a javascript file by itself:
// autologout.js
$(document).ready(function () {
const timeout = 900000; // 900000 ms = 15 minutes
var idleTimer = null;
$('*').bind('mousemove click mouseup mousedown keydown keypress keyup submit change mouseenter scroll resize dblclick', function () {
clearTimeout(idleTimer);
idleTimer = setTimeout(function () {
document.getElementById('logout-form').submit();
}, timeout);
});
$("body").trigger("mousemove");
});
Change the timeout value to whatever you want. Then in your view you can choose to include it or not based on your user auth status or roles.
This treats any interaction with the page -- even just moving the mouse -- as proof that the user is still there, which for my use case is really the point. It does time out if the user is on a different tab than this one.
It's just a full logout at the moment but I likely add in a flash message that tells them they've been logged out due to inactivity and maybe display a modal countdown prior to actually logging them out.
@siangboon - A meta refresh won't work because you have to actually POST submit the "#logout-form" form element so it passes the CSRF protection. Otherwise, you get an error.
@yusuf128 - Don't know if that will work for you but I thought I'd throw it out there.
Please or to participate in this conversation.