Sessions

[michaeln31]

Hi all,

 

If I have a list of session ids, is it possible to use this list to determine which session is no longer active? Seems like it should be do-able but can't find help on it so I'm kinda guessing its not!

 

Thanks for any help,

 

Michael

[creata.physics]

Okay, so if you have a mysql table set up that handles the sessions via a database then you won't have any issues.

 

When you insert a row into the database, you insert the session id and whatever else you may need, like timestamps and i.p addresses.

 

So what you need to do, is when a users session is first inserted into the database, you not only insert the unique session id into the SID field or whatever it may be called, you also insert the timestamp, preferrable using php's time(); function.

 

So now you have a users session stored into the database with the time their session started, to kill inactive sessions, you would simply run a query to pull all users sessions.

 

<?php
$query = "SELECT * FROM session_data";

$perform_query = mysql_query($query);

$session_expire				= time() - 900;

while ( $rows = mysql_fetch_array($perform_query) ) 
{
   //  Now that we've retrieved all the session from the database, we can check
   //  If the session time is GREATER than the 15 minutes ago, the session is expired.
   if ( $rows['session_time'] > $session_expire )
   {
       mysql_query("DELETE FROM lnx_sessions WHERE session_id = '$sid'");
   }
}
?>

 

Of course you'll have to modify this to fit your script, but this is how you check if a session is no longer active, of course you do not HAVE to delete the session, that is just a demonstration, put whatever code you want to process when we find an expired session inside that argument.

 

If you need any further explanations or anything feel free to ask.

[michaeln31]

I have something similar to that already implemented but I think I'll modify it more towards your example. My question really is about checking sessions "live".

 

On my site a user can log in and the site constantly checks session variables to authenticate the user. If that user is inactive for more than an hour they are automatically logged out, if the person chooses to log out they are logged out and both these systems are reflected in the database with a boolean "logged_in".

 

If the user decides to close the browser, the session is destroyed but the user is not logged out of the database. If the same user reopens the browser straight away, because the session is destroyed the user can no longer be authenticated using session variables. If the user tries to log in again  (within the session expiry time) they cannot because they are already marked as "logged in" in the database. It is only when the account expiry time is reached can the user log back in.

 

I think cookies or unique indentifiers are the answer but are something I would prefer to use as a last attempt. If I set a cookie to include the session id and an expiry, when the user reopens the browser, if the varible in the cookie "isset" i can use the id to set the session id using session_id().

 

Or something similar to your approach of adding a unique identifier to the database when the user first logs in. If the session connection is broken but the I.P. address is the same (and within an expiry time) the user's session can be taken out of the database.

 

These seem kind of crude to me and have a high chance of getting very messy. Is it not possible to have a list of sessions, (for lack of a better phrase) ask the server, "is this session_id" still running", and if it is not logged that session_id (and user) from the database.

 

Thanks again for any help,

 

Michael

[j9sjam3]

If you handle sessions via the database, you can add an expiry date.

Check this out: http://stefangabos.ro/php-libraries/zebra-session/

[michaeln31]

Expiring isn't the problem, I have that working. The problem is seeing if a session exists for a user that's marked as logged in in the database. It probably isn't possible seeing as I can't find the answer on the net.

 

Mike

[j9sjam3]

If you just store the IP address in the database then you can check if the user is on the same IP address?

[michaeln31]

If you just store the IP address in the database then you can check if the user is on the same IP address?

 

One of the problems I'm having is that the the main users of the site will all be behind one internet connection, using multiple user names. IP addresses probably won't be the best thing to uniquely identify someone.

 

Is it possible to get the location of where sessions are stored, then process all the sessions? Forgive me for not testing this myself but I can't test it at the moment.

 

Mike

[michaeln31]

Found a nice work around. The problem i was having was if a user was logged in and closed the browser, when the user opened the browser again (within session expiry time) the user could not log back in until the session expired. I changed 'session.cookie_lifetime' to reflect the same expiry time as the session its self. I've only done a few minutes of testing but so far it works and allows me to close the browser, reopen and continue as i did.

 

I will still implement code that will delete any session that is still active after a specified time just in case any session are left open. This is probably never going to be possible but can't hurt! (famous last words)

 

 

Thanks for all the help,

 

Mike