RE: [PHP] How to handle so called expired sessions??
Ive just been getting myself deep into using sessions. Sessions are working as it should except for one condition. Say I log into the site, and the session is started, and I don't do anything for the next 30 mins, then go back to the site. Im temporarily logged out, but because the session cookie is still good, the next page load logs me back in. How do the people who use sessions handle this type of scenario?? Whether your logged back in or not is dependant on your program. Once you are gone for over X minutes, your session file is deleted. So, even though the cookie is still good, the session will not have any data. What's usually done is to check for a certain session value, like $_SESSION['logged_in'] and if it's present, then continue, otherwise force the user to log back in again. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[2]: [PHP] How to handle so called expired sessions??
Hi, Wednesday, December 4, 2002, 4:01:07 AM, you wrote: Ive just been getting myself deep into using sessions. Sessions are working as it should except for one condition. Say I log into the site, and the session is started, and I don't do anything for the next 30 mins, then go back to the site. Im temporarily logged out, but because the session cookie is still JWH good, the next page load logs me back in. How do the people who use sessions handle this type of scenario?? JWH Whether your logged back in or not is dependant on your program. Once JWH you are gone for over X minutes, your session file is deleted. So, even JWH though the cookie is still good, the session will not have any data. JWH What's usually done is to check for a certain session value, like JWH $_SESSION['logged_in'] and if it's present, then continue, otherwise JWH force the user to log back in again. JWH ---John Holmes... Not quite that simple as the cleanup proccess may not have run and the data is still sitting there, I use msession so I am not sure if the normal session stuff will return expired data after it expires and before it is deletedmsession does so I hacked it to cleanup if expired data is requested. -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] How to handle so called expired sessions??
I've noticed this as well with the things I've been doing for sessions. They way I understand it is that the server side session storing values is supposed to expire after a certain lenght of time. I currently have this at default so I think it should expire after 24 mins. The cleanup is done within php itself so nothing is cleaned up until php is called again. Is this correct? If so, I have sessions located within my /tmp directory that are over 3 weeks old and have been there ever since they were first created. Ed On Wed, 4 Dec 2002, Tom Rogers wrote: Hi, Wednesday, December 4, 2002, 4:01:07 AM, you wrote: Ive just been getting myself deep into using sessions. Sessions are working as it should except for one condition. Say I log into the site, and the session is started, and I don't do anything for the next 30 mins, then go back to the site. Im temporarily logged out, but because the session cookie is still JWH good, the next page load logs me back in. How do the people who use sessions handle this type of scenario?? JWH Whether your logged back in or not is dependant on your program. Once JWH you are gone for over X minutes, your session file is deleted. So, even JWH though the cookie is still good, the session will not have any data. JWH What's usually done is to check for a certain session value, like JWH $_SESSION['logged_in'] and if it's present, then continue, otherwise JWH force the user to log back in again. JWH ---John Holmes... Not quite that simple as the cleanup proccess may not have run and the data is still sitting there, I use msession so I am not sure if the normal session stuff will return expired data after it expires and before it is deletedmsession does so I hacked it to cleanup if expired data is requested. -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: Re[2]: [PHP] How to handle so called expired sessions??
I have a similar problem only my sessions expire once you leave the site, even for a second. I'm not so experienced with cookies so how can I fix this? - Original Message - From: Tom Rogers [EMAIL PROTECTED] To: John W. Holmes [EMAIL PROTECTED] Cc: 'Gerard Samuel' [EMAIL PROTECTED]; 'php-gen' [EMAIL PROTECTED] Sent: Tuesday, December 03, 2002 9:52 PM Subject: Re[2]: [PHP] How to handle so called expired sessions?? Hi, Wednesday, December 4, 2002, 4:01:07 AM, you wrote: Ive just been getting myself deep into using sessions. Sessions are working as it should except for one condition. Say I log into the site, and the session is started, and I don't do anything for the next 30 mins, then go back to the site. Im temporarily logged out, but because the session cookie is still JWH good, the next page load logs me back in. How do the people who use sessions handle this type of scenario?? JWH Whether your logged back in or not is dependant on your program. Once JWH you are gone for over X minutes, your session file is deleted. So, even JWH though the cookie is still good, the session will not have any data. JWH What's usually done is to check for a certain session value, like JWH $_SESSION['logged_in'] and if it's present, then continue, otherwise JWH force the user to log back in again. JWH ---John Holmes... Not quite that simple as the cleanup proccess may not have run and the data is still sitting there, I use msession so I am not sure if the normal session stuff will return expired data after it expires and before it is deletedmsession does so I hacked it to cleanup if expired data is requested. -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Re[2]: [PHP] How to handle so called expired sessions??
I've noticed this as well with the things I've been doing for sessions. They way I understand it is that the server side session storing values is supposed to expire after a certain lenght of time. I currently have this at default so I think it should expire after 24 mins. The cleanup is done within php itself so nothing is cleaned up until php is called again. Is this correct? If so, I have sessions located within my /tmp directory that are over 3 weeks old and have been there ever since they were first created. The default way sessions are set up is that there is a one percent chance that the cleanup process will be triggered on each request. Maybe you've just never hit that 1% ? ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Re[2]: [PHP] How to handle so called expired sessions??
Wednesday, December 4, 2002, 4:01:07 AM, you wrote: Ive just been getting myself deep into using sessions. Sessions are working as it should except for one condition. Say I log into the site, and the session is started, and I don't do anything for the next 30 mins, then go back to the site. Im temporarily logged out, but because the session cookie is still JWH good, the next page load logs me back in. How do the people who use sessions handle this type of scenario?? JWH Whether your logged back in or not is dependant on your program. Once JWH you are gone for over X minutes, your session file is deleted. So, even JWH though the cookie is still good, the session will not have any data. JWH What's usually done is to check for a certain session value, like JWH $_SESSION['logged_in'] and if it's present, then continue, otherwise JWH force the user to log back in again. JWH ---John Holmes... Not quite that simple as the cleanup proccess may not have run and the data is still sitting there, I use msession so I am not sure if the normal session stuff will return expired data after it expires and before it is deletedmsession does so I hacked it to cleanup if expired data is requested. Okay, so what's your question? The cookie and data is still there, but it's expired? How? As far as I know it's not expired until it is deleted. ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[4]: [PHP] How to handle so called expired sessions??
Hi, Wednesday, December 4, 2002, 1:04:07 PM, you wrote: S I have a similar problem only my sessions expire once you leave the site, S even for a second. I'm not so experienced with cookies so how can I fix S this? S - Original Message - S From: Tom Rogers [EMAIL PROTECTED] S To: John W. Holmes [EMAIL PROTECTED] S Cc: 'Gerard Samuel' [EMAIL PROTECTED]; 'php-gen' S [EMAIL PROTECTED] S Sent: Tuesday, December 03, 2002 9:52 PM S Subject: Re[2]: [PHP] How to handle so called expired sessions?? Hi, Wednesday, December 4, 2002, 4:01:07 AM, you wrote: Ive just been getting myself deep into using sessions. Sessions are working as it should except for one condition. Say I log into the site, and the session is started, and I don't do anything for the next 30 mins, then go back to the site. Im temporarily logged out, but because the session cookie is still JWH good, the next page load logs me back in. How do the people who use sessions handle this type of scenario?? JWH Whether your logged back in or not is dependant on your program. Once JWH you are gone for over X minutes, your session file is deleted. So, S even JWH though the cookie is still good, the session will not have any data. JWH What's usually done is to check for a certain session value, like JWH $_SESSION['logged_in'] and if it's present, then continue, otherwise JWH force the user to log back in again. JWH ---John Holmes... Not quite that simple as the cleanup proccess may not have run and the S data is still sitting there, I use msession so I am not sure if the normal session S stuff will return expired data after it expires and before it is S deletedmsession does so I hacked it to cleanup if expired data is requested. -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php You will have to put phpinfo(32); at the top of your page and see what the browser is sending for session info sounds like it is not sending the session cookie. Are you using apache style authentication? netscape will not send a cookie and auth info together (at least that is what I have noticed when I tried that style of authenticating and eventually abandoned it :) -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[4]: [PHP] How to handle so called expired sessions??
Hi, Wednesday, December 4, 2002, 1:33:03 PM, you wrote: No question :) It's just that this is what the original question was about and why I suggested doing his own sesssion timeout check as the deleting proccess is too unreliable to depend on for timeout handling. PHP will quite happily return stale data which could be bad in a login type of situation. JWH Okay, so what's your question? The cookie and data is still there, but JWH it's expired? How? As far as I know it's not expired until it is JWH deleted. JWH ---John Holmes... -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
RE: Re[4]: [PHP] How to handle so called expired sessions??
No question :) It's just that this is what the original question was about and why I suggested doing his own sesssion timeout check as the deleting proccess is too unreliable to depend on for timeout handling. PHP will quite happily return stale data which could be bad in a login type of situation. Okay. I think I thought you were the original poster. How do you know it's returning stale data, though? If the cookie is valid, and there is still a session file (or data in memory), then why is it stale or expired. Maybe I'm just missing something here. If it's expired because you think it's too old, then you track your own timestamps and do your own cleanup. Is that what you're saying? ---John Holmes... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re[6]: [PHP] How to handle so called expired sessions??
Hi, Wednesday, December 4, 2002, 1:59:11 PM, you wrote: JWH Okay. I think I thought you were the original poster. How do you know JWH it's returning stale data, though? If the cookie is valid, and there JWH is still a session file (or data in memory), then why is it stale or JWH expired. Maybe I'm just missing something here. If it's expired because JWH you think it's too old, then you track your own timestamps and do your JWH own cleanup. Is that what you're saying? Yes exactly, common problem is someone logs in but doesn't log out and the session is open to everyone, session timeout is supposed to help prevent these cases or at least reduce the chance. But of course the main use of session timeout is to frustrate developers who take more than 40 mins to suss out the next bit of code -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to handle so called expired sessions??
I was the original poster to this topic. Quite suprised it continued.. I have my sessions stored in a database, thus I thought the problem was there, but have come to realise, that is how sessions behave naturally. I originally thought, that the expired session garbage collection dumps stale sessions, if the user is away after the default 24 minutes. But in my case, it does, but since the user still has a valid session cookie containing valid data, the session is brought back from the dead even if hours has passed, and the browser hasn't closed. Not desirable for me. As Tom pointed out to me, (which I haven't gotten around to do as yet) in not so many words - 1. When the user logs in assign a session variable to lets say time() + 600 (10 mins in the future). 2. Each page load, refresh the session variable in step 1 *if* the session variable references a future timestamp. 3. If on a page load, the session variable references a past (older than time() - 600) timestamp, core dump the session data - $_SESSION = array(); to /dev/null, hell, whatever makes you happy... Although I haven't gotten around to using these steps, it seems like it would work for what Im trying to achieve. John W. Holmes wrote: No question :) It's just that this is what the original question was about and why I suggested doing his own sesssion timeout check as the deleting proccess is too unreliable to depend on for timeout handling. PHP will quite happily return stale data which could be bad in a login type of situation. Okay. I think I thought you were the original poster. How do you know it's returning stale data, though? If the cookie is valid, and there is still a session file (or data in memory), then why is it stale or expired. Maybe I'm just missing something here. If it's expired because you think it's too old, then you track your own timestamps and do your own cleanup. Is that what you're saying? ---John Holmes... -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] How to handle so called expired sessions??
Ive just been getting myself deep into using sessions. Sessions are working as it should except for one condition. Say I log into the site, and the session is started, and I don't do anything for the next 30 mins, then go back to the site. Im temporarily logged out, but because the session cookie is still good, the next page load logs me back in. How do the people who use sessions handle this type of scenario?? Thanks for any insight you may provide... -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to handle so called expired sessions??
Hi, Tuesday, December 3, 2002, 1:57:21 PM, you wrote: GS Ive just been getting myself deep into using sessions. GS Sessions are working as it should except for one condition. GS Say I log into the site, and the session is started, and I don't do GS anything for the next 30 mins, then go back to the site. GS Im temporarily logged out, but because the session cookie is still good, GS the next page load logs me back in. GS How do the people who use sessions handle this type of scenario?? GS Thanks for any insight you may provide... GS -- GS Gerard Samuel GS http://www.trini0.org:81/ GS http://dev.trini0.org:81/ Do your own session timing by storing a last access time in sessions and check the duration yourself, if it is over the timeout you want delete the session data and start again. That way the cookie is ok but won't point to any old data. -- regards, Tom -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] How to handle so called expired sessions??
I had something similar in mind. Thanks for your input... Tom Rogers wrote: Hi, Tuesday, December 3, 2002, 1:57:21 PM, you wrote: GS Ive just been getting myself deep into using sessions. GS Sessions are working as it should except for one condition. GS Say I log into the site, and the session is started, and I don't do GS anything for the next 30 mins, then go back to the site. GS Im temporarily logged out, but because the session cookie is still good, GS the next page load logs me back in. GS How do the people who use sessions handle this type of scenario?? GS Thanks for any insight you may provide... GS -- GS Gerard Samuel GS http://www.trini0.org:81/ GS http://dev.trini0.org:81/ Do your own session timing by storing a last access time in sessions and check the duration yourself, if it is over the timeout you want delete the session data and start again. That way the cookie is ok but won't point to any old data. -- Gerard Samuel http://www.trini0.org:81/ http://dev.trini0.org:81/ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php