Page 1 of 1
Session Handler Destroy
Posted: Mon May 10, 2010 12:56 pm
by drayfuss
I'm using session handlers to plug session data into my database.
Code: Select all
//envoke session_set_save_handler
session_set_save_handler(array($this, "sess_open"), array($this, "sess_close"), array($this, "sess_read"), array($this, "sess_write"), array($this, "sess_destroy"), array($this, "sess_gc"));
I'm having trouble working out at what point the sess_destroy function (within my Session Handler class) is actually being called. I can pinpoint the garbage collection function (sess_gc) being called every time a session has expired, but the sess_destroy function never seems to be used.
I hate redundant code, so could someone explain to me when it is used?
Thanks,
drayfuss
Re: Session Handler Destroy
Posted: Mon May 10, 2010 1:09 pm
by AbraCadaver
The destroy handler, this is executed when a session is destroyed with session_destroy() and takes the session id as its only parameter.
For example if you have a logout link, then you would want to destroy the session with session_destroy() yes?
Re: Session Handler Destroy
Posted: Mon May 10, 2010 1:10 pm
by flying_circus
Session destroy is called whenever you use the session_destroy() function or session_regenerate_id([bool $delete_old_Session = true]).
Re: Session Handler Destroy
Posted: Mon May 10, 2010 3:15 pm
by drayfuss
Ah,
that makes sense. Now I think about it it sounds like a bit of a stupid question. Just hadn't got as far as offering a 'logout' option.
One issue I'm having with my session handler is that, if the session times out, because the session id always seems to be the same when a user hasn't cleared the session or quit the browser, the garbage collector always seems to clear the session from my database after my sess_read function. This means that, unless the browser refreshes one more time, the users session is lost. This, obviously, doesn't happen if the session I'd is completely new.
What's the best way to navigate this issue? Should I recall sess_read() at the end of the sess_gc function?
Thanks for the quick response. Great forum.
drayfuss
Re: Session Handler Destroy
Posted: Mon May 10, 2010 4:06 pm
by flying_circus
You can run into a race condition, where the use goes idle and the garbage collector may dump the session. Now the user is supplying a session id which no longer exists in the database.
The best way to deal with it is to check if the user supplied session id exists in the database, if not, you can start the session using the user supplied id, but always regerate id and destroy the old id. Otherwise, the max lifetime seems to be working like it should. Maybe lengthen the max life if it seems too short?
Re: Session Handler Destroy
Posted: Mon May 10, 2010 5:13 pm
by drayfuss
So in effect, the script running the garbage collection function is actually doing the work of the whole website in removing old sessions. I should have it do its magic, with the exception of the session provided by the user initiating the script?
Surely that would make it difficult for a user to garbage collect their own session, even if it WAS outdated.
If you could give me a more detailed process I might grasp it...
Maybe a few botched simplified functions for examples sake?
Cheers,
drayfuss