Is there a function to log out a user that is doing nothing for a while?

I've seen this session function that controlls the users login and out. Is there even a function thats uses the sessions to log out a user that is doing nothing for a while? Maybe there is a function like that but a could not notice that featcher.

tom

[Free WordPress Themes]

if the session time period is expired the use nee to log in again, check this directive:

http://nl3.php.net/manual/en/ref.session.php#ini.session.gc-maxlifetime

if the session time period is expired the use nee to log in again, check this directive:

http://nl3.php.net/manual/en/ref.session.php#ini.session.gc-maxlifetime

It does'nt work for me. I've set session.gc-maxlifetime to 24 sek. only to see if the log in user is loged out but it does'nt even the whole sess_id row for this user is not cleaned after the session.gc-maxlifetime time.
Should it not be deleted after the session.gc-maxlifetime?

The sessions are woking, the are created during the login process and are deleted during the logout process but not after the session.gc-maxlifetime.

I don't understand why.

[Free WordPress Themes]

maybe its not allowed to you to change this value?

maybe its not allowed to you to change this value?

I can change this value, it my server at home :-)

I am right in the assumption that the whole session datarow should be deleted if the session.gc-maxlifetime is over?

Perhaps you need to make the garbage collect run more often? old sessions will not be erased if the garbage collector is not run frequently enough.

Each time a session is opened, the probability the gc is started is session.gc_probability/session.gc_divisor. session.gc_probability defaults to 1 and session.gc_divisor defaults to 100, which makes a 1% probability.

ini_set('session.gc_divisor',1); will make it a 100% probability. Might be worth trying as a test.

Mike

Perhaps you need to make the garbage collect run more often? old sessions will not be erased if the garbage collector is not run frequently enough.

Each time a session is opened, the probability the gc is started is session.gc_probability/session.gc_divisor. session.gc_probability defaults to 1 and session.gc_divisor defaults to 100, which makes a 1% probability.

ini_set('session.gc_divisor',1); will make it a 100% probability. Might be worth trying as a test.

Mike

ok, I've set it to 1/1 for a test but still the sess is not cleared by _gc.

I'm not realy clear about how to use the session class but I think if the sessions are created and stored and deleted during the login/logout it should be the right usage. Right?

Well you shouldnt need to worry about it. Just set USE_MYSQL_SESSIONS to true in db_config and then when you include Access_User at the top of your file e.g. include_once("/path/access_user_class.php"); It will set the session handler up to use the database and start the session.

I would check its working by peeking at your database table with mySQLAdmin though. You should see the rows coming and going. If they arent going then you need to sort it out.

Mike

Well you shouldnt need to worry about it. Just set USE_MYSQL_SESSIONS to true in db_config and then when you include Access_User at the top of your file e.g. include_once("/path/access_user_class.php"); It will set the session handler up to use the database and start the session.

I would check its working by peeking at your database table with mySQLAdmin though. You should see the rows coming and going. If they arent going then you need to sort it out.

Mike

USE_MYSQL_SESSIONS is set to true. I think otherwise the session would not be stored in the database. I'm aready whatching the session comming in the database using phpmyadmin but can't see them going.

I assume it is not nessesary to include the session_handler at the top of every file because it's already included in assess_user.class but I will try to do it.

@pagedown
you are right. It was nessesary to include the session_handler at the top of the new file. Now it working very well.

:-)
thanks

you are right. It was nessesary to include the session_handler at the top of the new file. Now it working very well.

I'm still a bit confused because if a file is using some Access_User functions then it would need to have the include(access_user_class) at the top of the file. And Access_User should include session_handler.php

Anyway, glad its working.

Mike

[What not works is that a user is not logout automaticly after doing nothing.]

you are right. It was nessesary to include the session_handler at the top of the new file. Now it working very well.

I'm still a bit confused because if a file is using some Access_User functions then it would need to have the include(access_user_class) at the top of the file. And Access_User should include session_handler.php

Anyway, glad its working.

Mike

I was to fast enjoying the logout after I had put the include a second time (first access_user) in the called file but after I did this I could not log in anymore ...

Now I will descripe what the session class is doing in my case:
If i log in it create a table row with this 4 values:
- ses_id,    ses_time,    ses_start ,   ses_value
- ses_time grows up every time when I execute a script.
- ses_value disapears after a user did a logout but the other values still stay there.
- If the same user or an other user with the same browser and the stored PHPSESSID cookie log in again it uses the same ses_id and creates an new value for ses_value.

The session class is called on top of access_user.class.

What not works is that a user is not logout automaticly after doing nothing.

For testing I've set this in php.ini

session.gc_probability = 1
session.gc_divisor     = 1000
session.gc_maxlifetime = 30

Whith this settings I think the sleeping user should be logout by killing the session after 30 seconds. I've even tried to use the session starter (Cross-Browser Session Starter ver. 1.00 ) instead of calling session_start() I call the function start_session() on to of the session class but even there is no effect, the user is loged in for ever.

Is that descriped session behavior ok, usual?
What could be the reason that the user is not logout after 30 sek?

Hi tomz,

Just came across this on the internet.

Note that for security reasons the Debian and Ubuntu distributions of php do not call _gc to remove old sessions, but instead run /etc/cron.d/php*, which check the value of session.gc_maxlifetime in php.ini and delete the session files in /var/lib/php*.  This is all fine, but it means if you write your own session handlers you'll need to explicitly call your _gc function yourself.  A good place to do this is in your _close function, like this:

<?php
function _close() {
    _gc(get_cfg_var("session.gc_maxlifetime"));
   // rest of function goes here
}
?>

Interesting 

Mike


(Edit)

Just noticed Access_User session handler already calls _gc from close(). Although with 0 as parameter?

I think I've solved some of the garbage collection mysteries.

1) Access_user ignores the normal session expiry timeouts such as session.gc_maxlifetime and always uses 5 minutes.

Apart from this fixed time it seems to work correctly.
The garbage collector is run once at the end of a page being displayed.
The garbage collector will delete any sessions that havent been updated within the last 5 minutes.

(If you are testing this with a single user you will never see it working because it is only run when a page is displayed
and if you display a page the timer will be reset. You need to test it with 2 or more users.)


2) The browser reuses the old session id making it look like the old session isn't being correctly deleted, when in fact it is.

To explain in more detail what happens

- When you start your first session a session id, a start time and a current time are logged in the database.
- As you use the session, data is stored in it
- When you logout session data is cleared and the row for your session is deleted from the session table
- Access_user then jumps to LOGOUT_PAGE which is defined in db_config.php
- My LOGOUT_PAGE is my home page which causes a new session to be started
- Same session id is reused. (I think because the session cookie is not deleted. This might be Firefox only feature though)
- So if you watch the session table it will appear that the session isn't being cleared when in fact it is.

To prove this change your LOGOUT_PAGE so that it doesnt redirect but instead just does an exit.
You will see the session table row is deleted correctly.

This isn't a serious problem as session variables and data have been cleared, the only problem is that we keep
using the same session id.


Suggested improvement
---------------------

kill the session altogether by deleting the session cookie.
Change log_out to include just before session-destroy()...

$sessionName = session_name();
$sessionCookie = session_get_cookie_params();
setcookie($sessionName, false, $sessionCookie['lifetime'], $sessionCookie['path'], $sessionCookie['domain'], $sessionCookie['secure']);

this will delete the session cookie.
Now if you watch the session table you will see a completely new session id after you log out

Mike

[Free WordPress Themes]

makes sense, the first thing about the 5 minutes, its hardcoded in the 3rd party session handler class:

    /* Garbage collection, deletes old sessions */
    function _gc($life) {
        $ses_life = strtotime("-5 minutes");

        $session_sql = "DELETE FROM " . $this->ses_table
                     . " WHERE ses_time < $ses_life";
        $session_res = @mysql_query ($session_sql);


        if (!$session_res) {
            return FALSE;
        }         else {
            return TRUE;
        }
    }


I will check the session cookie thing if this is related to the session class or to AU

[Free WordPress Themes]

btw. thanks for your investigations!

[Guest]

[37.736]

Msnbot, Googlebot, Yahoo crawler, Baidu Spider