Session

[Ashoar]

Hello.

I was just wondering if there is any sort of session function or command that could be added to the header (or any section of a php code) that would prevent a member from being logged out after being idle on a single page for a long time or closing the window without logging out.

[premiso]

Make your session time limit 0 in the php.ini or via ini_set or .htaccess.

 

As for when closing the window, set a cookie. Check if that cookie is valid the next time they come on, if they are consider them as being valid/logged in.

[Ashoar]

Thank you Premiso.

Could you go into a bit of detail.

How this could be done?

 

[jackpf]

ini_set("session.gc_maxlifetime", 0);

 

Something like that?

[Ashoar]

Ah, so i could just include that into the head of each page?

[PFMaBiSmAd]

Don't. A zero session.gc_maxlifetime will cause all session data files to be deleted every time session garbage collection runs.

 

The purpose of session garbage collection is to delete old session data files. It is only a side effect that it happens to end sessions for visitors that have not recently requested a page and it should not be used to log people out or for any other purpose. And in fact setting it to shorter values just screws over every one using sessions on the same server and using the default session save path - http://www.phpfreaks.com/forums/index.php/topic,246085.0.html and here http://www.phpfreaks.com/forums/index.php/topic,246173.msg1150788.html#msg1150788

[jackpf]

Ahh, well by all means, don't use it then

[Ashoar]

Ok thank you for the links PFMaBiSmAd

I will take a look through them.

[PFMaBiSmAd]

Actually a zero (just tested) does stop session garbage collection, which is its own problem because you now must manage garbage collection yourself or have your disk quota fill up with old session data files.

[jackpf]

I thought PHP cleared old sessions every 100 page requests?

[PFMaBiSmAd]

More information on the use of zero for the session.gc_maxlifetime. It does not delete the current session data file (the one that caused garbage collection to run) but it does delete all the other session data files (more than zero seconds older than the time garbage collection runs.)

[PFMaBiSmAd]

The session garbage collection logic is checked on each session_start() statement, it performs garbage collection randomly based on session.gc_probability and session.gc_divisor, and when it does run it deletes session data files that where last accessed more than session.gc_maxlifetime seconds ago.

 

On a busy shared server, session garbage collection could run every few seconds. On a low use server it could take days, weeks, or even months before it runs.

[Ashoar]

So would you still recommend against using 0?

[PFMaBiSmAd]

  Quote

it does delete all the other session data files

If you only want sessions on your site to work for each new visitor and destroy the existing session for the visitor before him, go for it.

[Ashoar]

Ah ok, sorry didn't properly see that part.

Well i think i will just do this based on time.

 

In my original code, when you logged in your name was added to a new database table. All the names from that database would then be fetched and displayed in a users online list.

When you logout your name is taken out of the database table.

 

The problem was that if they got logged out due to being idle for too long or just closing the screen when they finished, their name was not taken of the list and next time they logged in their name would be on the list twice. But after they logged out properly all copies of their names were removed.

 

I thought i could just add a section to the header of each page that said if the session = false, remove from the table.

But that did not work.

 

Thanks for the help. I guess i will try do it on a times basis.

[PFMaBiSmAd]

  Quote

their name would be on the list twice

Your code would need to check if the name was already in the table or define the name column as a unique key to prevent the insertion of duplicates.

 

The normal method of showing who is online is to also store/update the time of the last page request along with the name. The code that displays the members that are on line would first delete any rows that have a last access time farther in the past than a limit you pick, then display the remaining names.

[Ashoar]

Thanks.

Yeah although i didn't want it to be time based, i preferred just to log them in and add them to the list, and once they logged out they would automatically remove, instead of having a "Online in the last 10 minutes" type thing.

 

Either way i am changing it around now and will add a time section to it.