[nycphp-talk] Checking active sessions
Adrian Noland
anoland at indigente.net
Fri Apr 27 09:12:26 EDT 2007
I think you need to think about your temp folder idea some more. You
say that you are going to keep temp uploads and other things there
that get destroyed after the user logs out. But if you are
regenerating the user's session ID multiple times you will need to
keep the temp folder in sync with that.
I always think about the way online banks do it when I approach this
problem. They put a META refresh or perhaps a setTimeout() on the page
and force a page reload. If the request came from the refresh, then
you know the user isn't paying attention anymore and can dump the
session.
On 4/26/07, David Krings <ramons at gmx.net> wrote:
> Rob Marscher wrote:
> >>> Is there any way I can check which sessions are currently active and
> >>> which aren't? I like to add some housekeeping code, but taking away
> >>> things from active sessions would be just mean.
> >
> > Check out the documentation for session_set_save_handler --
> > http://us.php.net/manual/en/function.session-set-save-handler.php This
> > is how you can override the way php handles sessions by default and put
> > in your own code. The "gc" function (stands for garbage collection) is
> > where the "housekeeping" code goes. Note that the default php session
> > handlers should be cleaning up the expired session temp files for you
> > automatically. The location for these temp files is specified by the
> > session.save_path php.ini setting.
>
> Thanks for the pointer. I misused the term "temp file". What I do is
> create a folder that has to be unique and therefore is identical with
> the session id. That is not the temp folder that the web server / PHP
> creates when starting a session. I called it temp folder because I dump
> upload files and other stuff in there in order to do all kinds of things
> with it, once done the files are moved to the final resting spot. Since
> all this real client server and stateless stuff doesn't let me know when
> a client just went away, I have to come up with some way of cleaning up
> a bit at some point. When the client goes away right after an upload and
> before initiating the final submission, files may be left in there.
> While some stale folders and files are OK (although not nice), having
> them pile up over time will become a problem. So I need to keep track of
> the sessions that were generated through my script in order to ditch
> that folder with contents (annoyingly, there seems to be no PHP code
> word that does exactly that) when the session is most likely to be
> expired (24 hours later for example).
>
>
> >> My plan is to create a session, authenticate the user, then generate a
> >> new session ID for the session )I read that this improves security and
> >> is easy enough to do)
> >
> > As far as regenerating the session id after login, it *is* simple --
> > http://us.php.net/manual/en/function.session-regenerate-id.php -- but if
> > you're overwriting the default session handler to store sessions in a
> > database table, you need to make sure that it's getting updated the way
> > you expect.
>
> Well, my idea is to start the session, do the login and authentication,
> when the user is accepted, regenerate the session id, and then write it
> to the table with a timestamp. I don't see any reason to write the first
> session id to the table, because I throw that one away soon after. I
> really only want to keep the ids because I want to clean up the folders
> that I created.
>
> Sounds like a workable and reliable approach to me...if I'd just had the
> time to finally do it. Working with ZIP files at the moment, which go to
> that session id folder as well. Still haven't really understood how the
> unpacking works and what this new and -> stuff is about, anyhow (OK, I
> read too much Bob Pease).
>
> Thanks for the help,
>
> David
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>
More information about the talk
mailing list