RE: [PHP] How to handle so called expired sessions??
Ive just been getting myself deep into using sessions. Sessions are working as it should except for one condition. Say I log into the site, and the session is started, and I don't do anything for the next 30 mins, then go back to the site. Im temporarily logged out, but because the session cookie is still good, the next page load logs me back in. How do the people who use sessions handle this type of scenario?? Whether your logged back in or not is dependant on your program. Once you are gone for over X minutes, your session file is deleted. So, even though the cookie is still good, the session will not have any data. What's usually done is to check for a certain session value, like $_SESSION['logged_in'] and if it's present, then continue, otherwise force the user to log back in again. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to handle so called expired sessions??
I was the original poster to this topic. Quite suprised it continued.. I have my sessions stored in a database, thus I thought the problem was there, but have come to realise, that is how sessions behave naturally. I originally thought, that the expired session garbage collection dumps stale sessions, if the user is away after the default 24 minutes. But in my case, it does, but since the user still has a valid session cookie containing valid data, the session is brought back from the dead even if hours has passed, and the browser hasn't closed. Not desirable for me. As Tom pointed out to me, (which I haven't gotten around to do as yet) in not so many words - 1. When the user logs in assign a session variable to lets say time() + 600 (10 mins in the future). 2. Each page load, refresh the session variable in step 1 *if* the session variable references a future timestamp. 3. If on a page load, the session variable references a past (older than time() - 600) timestamp, core dump the session data - $_SESSION = array(); to /dev/null, hell, whatever makes you happy... Although I haven't gotten around to using these steps, it seems like it would work for what Im trying to achieve. John W. Holmes wrote: No question :) It's just that this is what the original question was about and why I suggested doing his own sesssion timeout check as the deleting proccess is too unreliable to depend on for timeout handling. PHP will quite happily return stale data which could be bad in a login type of situation. Okay. I think I thought you were the original poster. How do you know it's returning stale data, though? If the cookie is valid, and there is still a session file (or data in memory), then why is it stale or expired. Maybe I'm just missing something here. If it's expired because you think it's too old, then you track your own timestamps and do your own cleanup. Is that what you're saying? ---John Holmes... -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to handle so called expired sessions??
Hi, Tuesday, December 3, 2002, 1:57:21 PM, you wrote: GS Ive just been getting myself deep into using sessions. GS Sessions are working as it should except for one condition. GS Say I log into the site, and the session is started, and I don't do GS anything for the next 30 mins, then go back to the site. GS Im temporarily logged out, but because the session cookie is still good, GS the next page load logs me back in. GS How do the people who use sessions handle this type of scenario?? GS Thanks for any insight you may provide... GS -- GS Gerard Samuel GS http://www.trini0.org:81/ GS http://dev.trini0.org:81/ Do your own session timing by storing a last access time in sessions and check the duration yourself, if it is over the timeout you want delete the session data and start again. That way the cookie is ok but won't point to any old data. -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to handle so called expired sessions??
I had something similar in mind. Thanks for your input... Tom Rogers wrote: Hi, Tuesday, December 3, 2002, 1:57:21 PM, you wrote: GS Ive just been getting myself deep into using sessions. GS Sessions are working as it should except for one condition. GS Say I log into the site, and the session is started, and I don't do GS anything for the next 30 mins, then go back to the site. GS Im temporarily logged out, but because the session cookie is still good, GS the next page load logs me back in. GS How do the people who use sessions handle this type of scenario?? GS Thanks for any insight you may provide... GS -- GS Gerard Samuel GS http://www.trini0.org:81/ GS http://dev.trini0.org:81/ Do your own session timing by storing a last access time in sessions and check the duration yourself, if it is over the timeout you want delete the session data and start again. That way the cookie is ok but won't point to any old data. -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php