NYCPHP Meetup

NYPHP.org

[nycphp-talk] Checking active sessions

David Krings ramons at gmx.net
Thu Apr 26 19:07:29 EDT 2007


Rob Marscher wrote:
>>> Is there any way I can check which sessions are currently active and 
>>> which aren't? I like to add some housekeeping code, but taking away 
>>> things from active sessions would be just mean.
> 
> Check out the documentation for session_set_save_handler -- 
> http://us.php.net/manual/en/function.session-set-save-handler.php  This 
> is how you can override the way php handles sessions by default and put 
> in your own code.  The "gc" function (stands for garbage collection) is 
> where the "housekeeping" code goes.  Note that the default php session 
> handlers should be cleaning up the expired session temp files for you 
> automatically.  The location for these temp files is specified by the 
> session.save_path php.ini setting.

Thanks for the pointer. I misused the term "temp file". What I do is 
create a folder that has to be unique and therefore is identical with 
the session id. That is not the temp folder that the web server / PHP 
creates when starting a session. I called it temp folder because I dump 
upload files and other stuff in there in order to do all kinds of things 
with it, once done the files are moved to the final resting spot. Since 
all this real client server and stateless stuff doesn't let me know when 
a client just went away, I have to come up with some way of cleaning up 
a bit at some point. When the client goes away right after an upload and 
before initiating the final submission, files may be left in there. 
While some stale folders and files are OK (although not nice), having 
them pile up over time will become a problem. So I need to keep track of 
  the sessions that were generated through my script in order to ditch 
that folder with contents (annoyingly, there seems to be no PHP code 
word that does exactly that) when the session is most likely to be 
expired (24 hours later for example).


>> My plan is to create a session, authenticate the user, then generate a 
>> new session ID for the session )I read that this improves security and 
>> is easy enough to do)
> 
> As far as regenerating the session id after login, it *is* simple -- 
> http://us.php.net/manual/en/function.session-regenerate-id.php -- but if 
> you're overwriting the default session handler to store sessions in a 
> database table, you need to make sure that it's getting updated the way 
> you expect.

Well, my idea is to start the session, do the login and authentication, 
when the user is accepted, regenerate the session id, and then write it 
to the table with a timestamp. I don't see any reason to write the first 
session id to the table, because I throw that one away soon after. I 
really only want to keep the ids because I want to clean up the folders 
that I created.

Sounds like a workable and reliable approach to me...if I'd just had the 
time to finally do it. Working with ZIP files at the moment, which go to 
that session id folder as well. Still haven't really understood how the 
unpacking works and what this new and -> stuff is about, anyhow (OK, I 
read too much Bob Pease).

Thanks for the help,

David



More information about the talk mailing list