How to Expire a PHP Session After 30 Minutes

By the end of this page, you will understand how PHP sessions work, how to implement a 30-minute inactivity timeout, how to destroy expired sessions safely, and how this pattern is used in real applications.

PHP sessions let a server remember information about a user across multiple requests. For example, after a user logs in, you can store their user ID in $_SESSION so they stay authenticated while browsing.

A common requirement is to expire a session after a period of inactivity, such as 30 minutes. This is important for:

• Security: prevents abandoned accounts from staying logged in
• Privacy: protects users on shared devices
• Control: lets the application define its own timeout rules

A key detail is that PHP does not automatically mean "30 minutes of inactivity" just because a session exists. There are two related but different ideas:

• Session cookie lifetime: how long the browser keeps the session cookie
• Application timeout logic: how your code decides whether a user has been inactive too long

For most login systems, the best approach is to store the user's last activity time in $_SESSION, then on each request:

1. Start the session
2. Check the time since the last activity
3. If more than 30 minutes have passed, destroy the session
4. Otherwise, update the activity timestamp

This gives you reliable control over session expiration in your application.

Think of a PHP session like a visitor badge at an office.

• The badge identifies the visitor
• The office security desk keeps a record of when the visitor was last active
• If the visitor has been inactive for too long, the badge is invalidated

In PHP:

• The badge is the session ID stored in the browser cookie
• The security record is the data in $_SESSION
• The inactivity rule is your timeout check using a timestamp

So instead of hoping the badge disappears on its own, your application actively checks whether the badge should still be valid.

The usual pattern is:

<?php
session_start();

$timeoutDuration = 1800; // 30 minutes = 1800 seconds

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > $timeoutDuration) {
    session_unset();
    session_destroy();
}

$_SESSION['LAST_ACTIVITY'] = time();

What this does

• session_start() loads the current session
• $_SESSION['LAST_ACTIVITY'] stores the timestamp of the user's last request
• time() returns the current Unix timestamp in seconds
• If the difference is greater than 1800, the session is cleared and destroyed
• If not expired, the last activity time is updated

A more complete example

<?php
session_start();

$timeoutDuration = ;

 (([])) {
     = () - [];

     ( > ) {
        ();
        ();
        ();
        ;
    }
}

[] = ();

Consider this code:

<?php
session_start();

$timeoutDuration = 1800;

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > $timeoutDuration) {
    session_unset();
    session_destroy();
    exit('Session expired');
}

$_SESSION['LAST_ACTIVITY'] = time();

echo 'Session is active';

Example walkthrough

Assume:

• $_SESSION['LAST_ACTIVITY'] = 1000
• current time() is 2500

Now step through it:

1. session_start() opens the existing session
2. $timeoutDuration is set to 1800
3. PHP checks whether $_SESSION['LAST_ACTIVITY'] exists

This pattern is used in many real applications:

• Admin dashboards: log out admins after inactivity for better security
• Banking or billing apps: expire sessions quickly to reduce risk
• School or library computers: prevent the next user from accessing someone else's account
• Internal company tools: enforce inactivity timeouts for compliance rules
• Customer portals: protect personal data when users leave a tab open

Example scenarios

• A user logs into a CMS and walks away from their laptop
• An employee accesses payroll information from a shared machine
• A support agent leaves an authenticated dashboard open during a break

In each case, inactivity timeout helps protect the account even if the browser stays open.

In real PHP projects, session expiration is usually handled in a shared file that runs on every protected page.

Common pattern: authentication guard

<?php
session_start();

$timeoutDuration = 1800;

if (!isset($_SESSION['user_id'])) {
    header('Location: login.php');
    exit;
}

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > $timeoutDuration) {
    session_unset();
    session_destroy();
    header('Location: login.php?expired=1');
    exit;
}

$_SESSION['LAST_ACTIVITY'] = time();

This is often placed in a file such as auth.php and included at the top of protected pages.

Patterns developers commonly use

• Guard clauses: immediately redirect if the user is not logged in
• Early return or exit: stop processing as soon as the session is invalid

1. Confusing cookie lifetime with inactivity timeout

Setting a cookie lifetime does not always mean the user is logged out after 30 minutes of inactivity.

Broken idea:

<?php
session_set_cookie_params(1800);
session_start();

Why this is not enough:

• It affects the browser cookie lifetime
• It does not by itself check user inactivity in your app logic
• A session may still exist on the server until garbage collection removes it

2. Forgetting to call session_start()

Broken code:

<?php
if (isset($_SESSION['LAST_ACTIVITY'])) {
    // ...
}

Fix:

<?php
session_start();

You must start the session before reading or writing $_SESSION.

3. Updating the activity time before checking expiration

Broken code:

Inactivity timeout vs absolute timeout

session_start();

$timeoutDuration = 1800; // 30 minutes

if (isset($_SESSION['LAST_ACTIVITY']) && (time() - $_SESSION['LAST_ACTIVITY']) > $timeoutDuration) {
    session_unset();
    session_destroy();
    header('Location: login.php?expired=1');
    exit;
}

$_SESSION['LAST_ACTIVITY'] = time();

Quick rules

• Call session_start() before using $_SESSION
• Store last activity with $_SESSION['LAST_ACTIVITY'] = time()
• Check inactivity before updating the timestamp
• Use 1800 seconds for 30 minutes
• After destroying the session, exit or redirect immediately
• Put this logic on every protected page or in a shared auth file

Useful functions

• session_start() — starts or resumes a session

How do I automatically log out a PHP user after 30 minutes?

Store the last activity time in $_SESSION, compare it to time() on each request, and destroy the session if the difference is greater than 1800 seconds.

Is session.gc_maxlifetime enough to expire a PHP session?

No. It affects how long session data may remain on the server, but it is not a reliable way to enforce a precise inactivity timeout for each user.

Should I use session_unset() and session_destroy() together?

Yes, that is a common and safe pattern. session_unset() clears session variables, and session_destroy() removes the session data.

What is 30 minutes in PHP session timeout code?

Use 1800 seconds, because 30 × 60 = 1800.

Where should I put PHP session timeout logic?

Usually in a shared file included at the top of all protected pages, such as auth.php or bootstrap.php.

Does user activity in another browser tab keep the session alive?

Yes. If another tab makes a request to the server before the timeout, your LAST_ACTIVITY value will be updated and the session stays active.

• PHP sessions — the main feature used to store user data across requests
• Cookies — sessions usually depend on a session ID stored in a browser cookie
• Authentication — session timeout is commonly part of login systems
• Logout flow — expiring a session is closely related to manual logout logic
• Session fixation protection — regenerating session IDs improves session security
• Guard clauses — timeout checks are often written as early-exit guards
• HTTP redirects — expired users are usually redirected to a login page
• Server-side state — sessions are a common way to keep state on the server