"Infinite" Sessions

[Bauer418]

I'm working on a PHP session management system that isn't based on the standard PHP session system.  I'm trying to achieve an effect similar to Facebook where a user is logged in as long as the browser is open.  When the browser is closed, the session is no longer active, unless they have checked "Remember Me."  I'm aware of how to set a cookie that will end when the browser is closed, but the issue arises when the session data sits in the database because I have told it not to expire.  I consider myself fairly advanced when it comes to PHP, so I'm not looking for any sort of code, rather just a possible way to achieve the desired result.

 

Here's a sample scenario:

 

[*]User first visits the site, a session is created for that user

[*]The user logs in, and the session now remembers their user id

[*]The user leaves their computer for a couple of hours, returns, and their session is still active

[*]The user closes their browser window, re-opens it, and returns to the site

[*]Their previous session is no longer valid, they must login again

[*]The session data is removed from the database

 

Should I just set an arbitrarily long session timeout?  Any other suggestions?

[DarkWater]

You're storing session information in the database?  And I don't see the issue here.  If you're setting a cookie that expires when the browser closes, the user is no longer associated with that session data when they return.  What's the problem?

[Bauer418]

I want the session to last until they close their browser, but I also need someway to clean and maintain the database, so there aren't week-old session entries in there.  I have settled on the fact that the only way to do it is with an arbitrarily long session timeout as I mentioned earlier.  Probably 24 hours, so there's no need for this topic anymore.  Thanks though.

[Mchl]

Use session_set_save_handler to set up a garbage collector function that will delete unused sessions from database. Garbage collector is running automatically by PHP (there's setting for it in php.ini)

[Bauer418]

I'm aware of garbage handling and session_set_save_handler.  That wasn't my question.  I was wondering if there was a better way to create sessions that end with a browser close and are cleaned up shortly after, rather than just setting an arbitrarily long expiration time.  In any case, I'm making a custom session class that doesn't use PHP's built-in system since I would need to change so many thing with it anyway.

[coalgames]

I understand what you are asking for.

 

You will probably need a javascript code to send info to the server that you are still online. Once the server detects that the user is not sending a message to the server that they are still online, delete the user.

 

Now on deleting the cookie:

Use javascript to delete the cookie on leaving the document. I have seen many scripts that say: "Are you sure you want to leave this page". You can do something similar but seamless with javascript deleting the cookie.

 

There are some problems with this though:

Some people dont have javascript enabled.

Some people might end the process so cookie wont be deleted. (Not important)

If you are using javascript to manipulate the cookie, you would not be able to use php's httponly part of the cookie making your application prone to xss

 

But, this is achieveable on the server side. If the server does not get a message that the client is still online, then they will delete the row on the database.

 

I hope this helps.