PHP Sessions - setcookie

mplement a session timeout of your own.
 Both options mentioned by others session.gc_maxlifetime
 and session.cookie_lifetime are not reliable.

session.gc_maxlifetime
session.gc_maxlifetime specifies the number
of seconds after which data will be seen as
 'garbage' and cleaned up. Garbage collection
 occurs during session start.

But the garbage collector is only started with
a probability of session.gc_probability divided
 by session.gc_divisor. And using the default
values for those options 1 and 100 respectively,
the chance is only at 1%.

Well, you could simply adjust these values
 so that the garbage collector is started
more often. But when the garbage collector
is started, it will check the validity for
every registered session. And that is cost-intensive.

Furthermore, when using PHP's default
session.save_handler files, the session data
 is stored in files in a path specified in
session.save_path. With that session handler,
 the age of the session data is calculated on
 the file's last modification date and not the
last access date

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY'] > 1800)) {
    // last request was more than 30 minutes ago
    session_unset();     // unset $_SESSION variable for the run-time 
    session_destroy();   // destroy session data in storage
}
$_SESSION['LAST_ACTIVITY'] = time(); // update last activity time stamp
 
Updating the session data with every request also 
changes the session file's modification date so that the session
 is not removed by the garbage collector prematurely.