When receiving access_token from VK it comes the following array:

 Array ( [access_token] => [expires_in] => 86398 [user_id] => [email] => )

The documentation itself states the following:

As a result of this request, your server will receive a newly created access_token. Together with the access_token server, the expires_in key lifetime in seconds is returned.

Based on this, I dare to suggest that expires_in is the lifetime of the session. However, the session is now destroyed when the browser session ends.

At the end of a browser session

How to set the session, the resulting value of expires_in , and after a given period of time, to destroy the session, so that the user had to log in again?

UPB

Explained a little in comments that I did not understand correctly. However, the essence does not change. Even if expires_in is the lifetime of the tokin, and after this time expires, the user will remain logged in — he will still not be able to make requests to api. Therefore, you need to destroy the session through this time.

  • expires_in is NOT a session lifetime. This is the token lifetime. And the session should be managed by you. - Alexey Shimansky
  • Alexey, thanks for explaining, updating the question. - Rodion Polyakov
  • If you just want to destroy the session and not to renew the access_token , then you need to look in the direction of cookie_lifetime - indicates the lifetime of cookies sent to the client’s browser, in seconds. A value of 0 means that cookies will be valid until the browser is closed. php.net/manual/ru/ ... ..... if you look at the example here: php.net/manual/ru/function.session-start.php, you can write session_start([ 'cookie_lifetime' => 86400, ]); for the test, you can make a new page and write code to check: - Alexey Shimansky
  • $lifeTime = 10; session_start([ 'cookie_lifetime' => $lifeTime, ]); if (!isset($_SESSION['expired'])) { $_SESSION['expired'] = time(); echo "Добро пожаловать на наш сайт!"; } else { echo "Вы впервые пришли на наш сайт ".(time()-$_SESSION['expired'])." секунд назад"; } $lifeTime = 10; session_start([ 'cookie_lifetime' => $lifeTime, ]); if (!isset($_SESSION['expired'])) { $_SESSION['expired'] = time(); echo "Добро пожаловать на наш сайт!"; } else { echo "Вы впервые пришли на наш сайт ".(time()-$_SESSION['expired'])." секунд назад"; } ........ but in general, if you can just re-request the token after the time expires .... and by the way, if you specify offline in the scope authorization, then an eternal token is issued .... well, this is so, just in case - Alexey Shimansky

1 answer 1

Do not store this data in a PHP session. You can use any repository with the ability to install expires (Redis and others like it). It can be stored in cookies with the same lifetime, but will have to be encrypted if there is something secret in the data. Yes, even the usual relational database can be used. Just at the next request to check the relevance. And do not destroy anything. Just get a new token when the relevance of the old one expires.