session questions

[evanct]

When a session expires are the session variables automatically unset, or do I have to do that manually?

 

Basically I'm trying to make it so the login times and logout times are entered into a mysql table. when the user logs in a session is started, $_SESSION['login'] is set, and the current time is entered into the 'login' field of the table. If the user manually logs out, $_SESSION['login'] is unset and the current time is entered into the 'logout' field. index.php checks if $_SESSION['login'] is set, and if it isn't the user is redirected to the login page.

 

if however the user does not manually log out, I still need a time to insert into the 'logout' field. so what's supposed to happen is the next time the user is redirected to the login page, the last inserted login/logout table row is checked and if the logout field contains NULL, set it as that row's login value +1 hour(session.cookie_lifetime is set to 1 hour)

 

what happens though is I log in, leave the site, come back after the session lifetime has passed, and i am not redirected to the login page - in other words $_SESSION['login'] is still set, even though the session should have expired.

[gizmola]

Ok, so the session files (assuming the default session handler) are stored on the file server.  These session files can have a lifetime set up for them, based on the session configuration variable session.gc_maxlifetime.  Using cookies, the connection between the session id and the session file is made, and this can be somewhat constrained using a cookie_lifetime, but this should not be set to a short amount of time (as in your example) because the time corresponds to the server time, and you can not control or ascertain what the client's local time is.

 

In a note on the gc_maxlifetime, there are two variables that controll when the garbage collection is run.  These are described on the manual page.  Keep in mind, that in a situation where you have low traffic (development mode) it is possible that you will not generate enough requests to hit the threshold which would trigger the garbage collection, so it's entirely possible that you will have session files that hang around long after they should have expired.

 

Enough background -- now to your problem.  The first issue I see is that it seems you only want people to be logged in for an hour.  Is that really what you want?  This would mean that a person using your site continuously is going to be logged out after an hour, assuming you implement this control

 

Your best bet is to control this within the session.  If you determine using your login time, that the hour has expired, by checking it against the current server time, then you could do something like this (see the session_destroy php.net page for more info).

 

$_SESSION = array();

// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (isset($_COOKIE[session_name()])) {
    setcookie(session_name(), '', time()-42000, '/');
}

// Finally, destroy the session.
session_destroy();

[evanct]

Well no, I don't want the user to automatically be logged out after an hour regardless of his activities. I thought that by calling session_start at the top of index.php the session's lifetime would reset to 0 each time index.php is accessed?

 

the first few lines of index.php:

<?php

session_start();
require_once('common.php');
require_once('../lib/functions.php');

if (!isset($_SESSION['login'])) {
header('location: login.php');
exit;
}
?>

 

So the session is started or resumed before the script checks if $_SESSION['admin'] is set. So what seems to be happening(to me and my incomprehensive understanding of sessions) is that the session is started and the previous $_SESSION['login'] value, having not been unset or garbage collected, is restored. Am I correct there? If so couldn't I just set garbage collection to run every time a session expires, or is there some reason that isn't a good idea?

[gizmola]

All sessions do is give you a serverside persistence mechanism for data associated with a browser instance.  It's up to you whether or not you actually want to set session variables and give them data.  A session can be expired but that is based on when it is first created. 

 

If I understand you, what you want to make sure is that if someone hasn't done anything in over an hour, you want them to have to relog in? 

 

If that's the case, then go with a session variable called something like 'last_activity'.  What you would then want to do is something like this:

 

 

$currtime = time(); // get UNIX timestamp


if (($_SESSION['last_activity'] + 3600) > time()) {
    // Hour since last activity, log em out
    // Do unsetting of $_SESSION['login'], session_destroy(), session cookie backdating etc.  

} else {
   $_SESSION['last_activity'] = time();  
}

 

This decouples the last_activity from your login time, and still gives you your inactivity timeout function.  Since it's all serverside, it should be impervious to issues with local user time.  This is all off the top of my head, so code may have syntax issues or logic errors