Jump to content

"Infinite" Sessions


Recommended Posts

I'm working on a PHP session management system that isn't based on the standard PHP session system.  I'm trying to achieve an effect similar to Facebook where a user is logged in as long as the browser is open.  When the browser is closed, the session is no longer active, unless they have checked "Remember Me."  I'm aware of how to set a cookie that will end when the browser is closed, but the issue arises when the session data sits in the database because I have told it not to expire.  I consider myself fairly advanced when it comes to PHP, so I'm not looking for any sort of code, rather just a possible way to achieve the desired result.


Here's a sample scenario:


[*]User first visits the site, a session is created for that user

[*]The user logs in, and the session now remembers their user id

[*]The user leaves their computer for a couple of hours, returns, and their session is still active

[*]The user closes their browser window, re-opens it, and returns to the site

[*]Their previous session is no longer valid, they must login again

[*]The session data is removed from the database


Should I just set an arbitrarily long session timeout?  Any other suggestions?

Link to post
Share on other sites

You're storing session information in the database?  And I don't see the issue here.  If you're setting a cookie that expires when the browser closes, the user is no longer associated with that session data when they return.  What's the problem? :o

Link to post
Share on other sites

I want the session to last until they close their browser, but I also need someway to clean and maintain the database, so there aren't week-old session entries in there.  I have settled on the fact that the only way to do it is with an arbitrarily long session timeout as I mentioned earlier.  Probably 24 hours, so there's no need for this topic anymore.  Thanks though.

Link to post
Share on other sites

I'm aware of garbage handling and session_set_save_handler.  That wasn't my question.  I was wondering if there was a better way to create sessions that end with a browser close and are cleaned up shortly after, rather than just setting an arbitrarily long expiration time.  In any case, I'm making a custom session class that doesn't use PHP's built-in system since I would need to change so many thing with it anyway.

Link to post
Share on other sites

I understand what you are asking for.


You will probably need a javascript code to send info to the server that you are still online. Once the server detects that the user is not sending a message to the server that they are still online, delete the user.


Now on deleting the cookie:

Use javascript to delete the cookie on leaving the document. I have seen many scripts that say: "Are you sure you want to leave this page". You can do something similar but seamless with javascript deleting the cookie.


There are some problems with this though:

Some people dont have javascript enabled.

Some people might end the process so cookie wont be deleted. (Not important)

If you are using javascript to manipulate the cookie, you would not be able to use php's httponly part of the cookie making your application prone to xss


But, this is achieveable on the server side. If the server does not get a message that the client is still online, then they will delete the row on the database.


I hope this helps.

Link to post
Share on other sites


This topic is now archived and is closed to further replies.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.