PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!
I'm having trouble working out at what point the sess_destroy function (within my Session Handler class) is actually being called. I can pinpoint the garbage collection function (sess_gc) being called every time a session has expired, but the sess_destroy function never seems to be used.
I hate redundant code, so could someone explain to me when it is used?
The destroy handler, this is executed when a session is destroyed with session_destroy() and takes the session id as its only parameter.
For example if you have a logout link, then you would want to destroy the session with session_destroy() yes?
mysql_function(): WARNING: This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQLextension should be used. See also MySQL: choosing an API guide and related FAQ for more information.
that makes sense. Now I think about it it sounds like a bit of a stupid question. Just hadn't got as far as offering a 'logout' option.
One issue I'm having with my session handler is that, if the session times out, because the session id always seems to be the same when a user hasn't cleared the session or quit the browser, the garbage collector always seems to clear the session from my database after my sess_read function. This means that, unless the browser refreshes one more time, the users session is lost. This, obviously, doesn't happen if the session I'd is completely new.
What's the best way to navigate this issue? Should I recall sess_read() at the end of the sess_gc function?
You can run into a race condition, where the use goes idle and the garbage collector may dump the session. Now the user is supplying a session id which no longer exists in the database.
The best way to deal with it is to check if the user supplied session id exists in the database, if not, you can start the session using the user supplied id, but always regerate id and destroy the old id. Otherwise, the max lifetime seems to be working like it should. Maybe lengthen the max life if it seems too short?
So in effect, the script running the garbage collection function is actually doing the work of the whole website in removing old sessions. I should have it do its magic, with the exception of the session provided by the user initiating the script?
Surely that would make it difficult for a user to garbage collect their own session, even if it WAS outdated.
If you could give me a more detailed process I might grasp it...
Maybe a few botched simplified functions for examples sake?