SitePoint Sponsor

User Tag List

Results 1 to 13 of 13
  1. #1
    SitePoint Member
    Join Date
    Feb 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Sessions don't get deleted, why !!!

    hello everyone,
    i have searched the internet and the sitepoint forum threads: about why don't sessions get deleted after closing the browser.
    i did indeed find lot of information and ways, i tried them all, but still i am in the same loop.
    the situation is that i want the session to get destroyed after the browser is closed.
    my testing code for creating the session was:
    <? session_register(session_id()); ?>
    thatís it. the session was created successfully and it got deleted successfully, though only when using session_destroy(); . unfortunately not when closing the browser. and that's the problem
    i changed - session.gc_maxlifetime, session.save_path, session.cache_limiter
    session.cache_expire to different values based on what i have found from the internet and the threads here that discussed this matter, yet nothing worked.

    the problem is either in the code, php.ini or in my head (hope it's the first two options though)

    help !
    i will really appreciate it

  2. #2
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  3. #3
    Mlle. Ledoyen silver trophy seanf's Avatar
    Join Date
    Jan 2001
    Location
    UK
    Posts
    7,168
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Moved to a more appropriate forum. See Where should I post my thread? for details

    Sean
    Harry Potter

    -- You lived inside my world so softly
    -- Protected only by the kindness of your nature

  4. #4
    SitePoint Member
    Join Date
    Feb 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Oops, Thanks Sean

  5. #5
    SitePoint Member
    Join Date
    Feb 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Exclamation session.gc_probability was the problem, Though

    i managed to delete the created sessions by changing session.gc_probability = 100 (which was the main problem) & session.gc_divisor = 100 & maxlifetime = 10. the sessions though gets cleared after i start a new session, it does not get removed from the session-storage-folder when i refresh it the every 10 seconds, not even when i close the browser.

    is this a normal behavior? shouldn't the sessions be removed directly from the folder after the maxtimelife of the sessions are up, or when the browser is terminated by the user?
    will this ( making the sessions probability and divisor = 100 (100/100) & maxlifetime = 10 ) effect a lot on the server performance when dealing lot of sessions?

    - -

  6. #6
    SitePoint Evangelist anjanesh's Avatar
    Join Date
    Jun 2004
    Location
    Mumbai
    Posts
    447
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    By the Way sometimes session variables stored in Cookies dont get deleted inspite of doing session_destroy();, so you'll have to delete them yourself. I don't know abt the session behaviour in PHP 5 though.
    Code:
    session_start();
    session_unset();
    $_SESSION = array();
    session_destroy();
    setcookie(session_name(),"",0,"/");
    Anjanesh

  7. #7
    SitePoint Member
    Join Date
    Feb 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    true, i can destroy the session that gets generated with session_start() using the session_destroy(). But what i can't figure out yet, is why the sessions are still there when the browser is closed or terminated without calling the session_destroy() from the script
    is a sessions (sess_29378423..) associated to a browser stays alive even when the browser is terminated without calling session_destroy from the script?

  8. #8
    SitePoint Enthusiast jpp's Avatar
    Join Date
    Nov 2003
    Location
    Arnhem, The Netherlands
    Posts
    75
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Can it have something to do with your php-settings? I thought there was some session-expiration setting in the php.ini, not sure

  9. #9
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just closing the browser won't destroy a session, it just removes the browsers reference to the session so it won't adopt the session next time the browser it at a relevant page.

    I think linux web hosts typically have a garbage collection process to remove old sessions, otherwise you'll have to make something your self.
    For example a cron job that runs once an hour to delete sessions that have not been updated/created within a certain time out period.
    mikehealy.com.au
    diigital.com art, design . Latest Work ó Saturday Morning

  10. #10
    SitePoint Zealot
    Join Date
    Feb 2005
    Location
    UK
    Posts
    121
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Don't know too much about this, but I do know that you have to properly kill the cookie in order to kill the session. I use the following code to do this

    PHP Code:
        // Unset all of the session variables.
        
    $_SESSION = array();

        
    // If it's desired to kill the session, also delete the session cookie.
        // Note: This will destroy the session, and not just the session data!
        
    if (isset($_COOKIE[session_name()])) {
               
    setcookie(session_name(), ''time()-42000'/');
        }

        
    // Finally, destroy the session.
        
    session_destroy(); 
    Notice that it sets the cookie expiry to a time in the past so that everything knows it has expired. I guess that this also has the effect of convincing the server not to preserve the session file as well.

  11. #11
    SitePoint Member
    Join Date
    Feb 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks for your comments and help everyone
    i guess i found what i want now, though i would like to share it, maybe there are better ways to achieve this process or enhance it:
    i wanted to create a login authentication process with no client-side sessions and cookies.
    1) user from same computer won't have to re-login if he has already logged in before and his session is still not idle or expired
    2) another user with the same username & password can't log in (from different computer), unless the original user is logged off
    3) user will be automatically signed off if he is idle for period of time or his session has expired

    PHP Code:
    <?php
        session_start
    ();

        
    // Settings
        
    $host         "host name";
        
    $usr         "DB username";
        
    $pss        "DB password";
        
    $db_nm        "DB name";
        
    $fields        "pass,sess_id,ip_add";
        
    $table        "DB table";
        
        
    //creating a database connection
        
    $conn mysql_connect($host$usr,$pss); 
        
    mysql_select_db($db_nm,$conn);
        
        
    //there is no string validation for the username and password
        
    $user $_POST["user"];//get username from the form
        
    $pass sha1($_POST["pass"]);//encrypted the password from the form
        
        
    $SQL_Login mysql_query("select ".$fields." from ".$db_nm.".".$table." where user='".$user."'",$conn) or die("Select query faild to fetch user info");
        
    $Login_Row mysql_fetch_array($SQL_Login);
        
        
    mysql_free_result($SQL_Login); //free used memory used for the SQL_Login query
        
        
    function updateLogin($user,$conn,$db_nm,$table){//called when the session is not idle
            
    mysql_query("update ".$db_nm.".".$table." set sess_id='".session_id()."', ip_add='".$_SERVER["REMOTE_ADDR"]."' where user='".$user."'",$conn) or die("Update query failed to update session id, ip address");
            
    $_SESSION['timespan'] = time();
        }
    //end of updateLogin
        
        
    function clearLogin($user,$conn,$db_nm,$table){//called when the session is idle
            
    mysql_query("update ".$db_nm.".".$table." set sess_id='', ip_add='' where user='".$user."'",$conn) or die("Update query failed to clear session id, ip address");
        }
    //end of updateLogin
        
        
    if (!empty($Login_Row["pass"])){
            if (
    $pass == $Login_Row["pass"]){
                if (
    $_SERVER["REMOTE_ADDR"]==$Login_Row["ip_add"]){ //from the same computer
                    
    $filemtime filemtime (session_save_path()."\sess_".$Login_Row["sess_id"]);//check file modification time
                    
    if ((time()-$filemtime)<180){//check if uesr session is being used 
                        
    updateLogin($user,$conn,$db_nm,$table);
                        echo 
    "Welcome Back ".$user."<br>";
                        
    //redirect to user account page
                    
    }else{//when user session is idle (not used for 3 minutes)
                        
    clearLogin($user,$conn,$db_nm,$table);
                        echo 
    "You have to log in again, your session has expired<br>";
                        
    //redirect to login page
                    
    }//end of idle session checking
                    
                
    }else{//from different computer
                    
    if (!file_exists(session_save_path()."\sess_".$Login_Row["sess_id"])){//if there is no session for this user then login 
                        
    updateLogin($user,$conn,$db_nm,$table);
                        echo 
    "Successful Logging<br>";
                        
    //redirect to user account page
                    
    }else{//if there is a session created for this user then
                        
    $filemtime filemtime (session_save_path()."\sess_".$Login_Row["sess_id"]);//check file modification time
                        
    if ((time()-$filemtime)>180){//check if the session has been idle for some time, if not then the user is already logged in
                            
    updateLogin($user,$conn,$db_nm,$table);
                            echo 
    "Successful Logging<br>";
                            
    //redirect to user account page
                        
    }else{//when user session is idle (not used for 3 minutes)
                            
    echo "User ".$user." is already logged in<br>";
                            
    //redirect to home
                        
    }//end idle sessions checking
                    
    }//end session file checking
                
    }//end user computer checking
                    
            
    }else{
                echo 
    "Invalid Password<br>";
            }
    //end password checking
        
    }else{
            echo 
    "Invalid Username<br>";
        }
    //end username checking
        
        
    mysql_close($conn); // terminate the connection
        
    unset($db_nm,$table,$fields,$host,$usr,$pss,$user,$pass,$filemtime,$Login_Row); //unset the variables

    ?>
    i am adding to this code the username and password string checking and another if statement that will lock an account after certain number of invalid attempts for the password of an existing user. Should be fine though

    the only pitfall (that i find till now) or maybe extra unrequited security is: after the user logs off, his account will be locked until his session (from his last login) get expired or idle (3 min). so no one can login to the same account in those 3 min unless the attempt comes form the same computer.

    - -

  12. #12
    SitePoint Zealot
    Join Date
    Feb 2005
    Location
    UK
    Posts
    121
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Exclamation

    Biggest problem you have here is the use of IP address to identify the user. IP addresses are NOT unique to specific user, eg 1,000s of AOL users will share the same proxy IP. The same goes for all large ISPs - they all have to use proxies as they have more customers than they have available IPs. The rest allocate user IP dynamically when they dial in, so theoretically I could end up with the same IP as one of your users who has just logged out and hence inherit the session.

    That is why cokies are used to identify unique machines - nothing else will be guaranteed to work. Your idea is a no-starter I'm afraid, unless you are only going to have 1 user per ISP!! Imagine that, only 1 AOL user in the USA or 1 BT surftime user in the UK??

  13. #13
    SitePoint Member
    Join Date
    Feb 2005
    Posts
    7
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Roger Ramjet, thanks for the comment. a very important point that slipped out of my mind. Thanks again.
    i guess, i will dig more into the matter, still i have some ideas that i want to try before going to cookies.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •