Sessionfile based users online viewer

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Shendemiar
Forum Contributor
Posts: 404
Joined: Thu Jan 08, 2004 8:28 am

Sessionfile based users online viewer

Post by Shendemiar »

I made it, but now i'm annoyed by the old sessionfiles. What can i do to get rid the them?
Shendemiar
Forum Contributor
Posts: 404
Joined: Thu Jan 08, 2004 8:28 am

Post by Shendemiar »

Editing sesion lifetime to short and garbage collector to appear at 100% didnt make old sessionfiles dissappear...

And yes, i edited the one in the windows folder (php.ini)
evilMind
Forum Contributor
Posts: 145
Joined: Fri Sep 19, 2003 10:09 am
Location: Earth

Post by evilMind »

You'll have to setup a script to manually remove them. If not they'll lay around forever (probably...) and you'll run into possible security risks (session hi-jacking.. see http://www.acros.si/papers/session_fixation.pdf for an elaborate in-dept discussion on session handling...)
evilMind
Forum Contributor
Posts: 145
Joined: Fri Sep 19, 2003 10:09 am
Location: Earth

Post by evilMind »

almost forgot..
check out http://www.devnetwork.net/forums/viewtopic.php?t=14193 for a code snippet
Shendemiar
Forum Contributor
Posts: 404
Joined: Thu Jan 08, 2004 8:28 am

Post by Shendemiar »

evilMind wrote:You'll have to setup a script to manually remove them. If not they'll lay around forever (probably...) and you'll run into possible security risks (session hi-jacking.. see http://www.acros.si/papers/session_fixation.pdf for an elaborate in-dept discussion on session handling...)
Thanks for the links!
Shendemiar
Forum Contributor
Posts: 404
Joined: Thu Jan 08, 2004 8:28 am

Post by Shendemiar »

But why there are over a day old sessionfiles anyway?
evilMind
Forum Contributor
Posts: 145
Joined: Fri Sep 19, 2003 10:09 am
Location: Earth

Post by evilMind »

I'll have to use an example to explain this since I don't think I'll be able to any other way.

Lets say you use php sessions for user authentication and variable crossover (like most do). You're user logs in which causes a session to be established, thus (most likely) creating a session file (default=/tmp/sess_randomString) and sending a cookie to the client to send back so we know what session file to look at for information... When a user clicks the logout button, the file is removed and the cookie is deleted (if it's not session based on an ie client (they don't delete those cookies)). So we have removed the session file and got rid of the cookie. No problems here.

But what about that pesky user that logs in but *never* logs out? Well, the cookie remains until it's time for it to blow up and so does the file. However the file doesn't know when to self-destruct so it just sits there. Which is why you have session files laying around that are >1 day old..


Sorry for the long explanation but it's the only way I knew how to explain why...
Shendemiar
Forum Contributor
Posts: 404
Joined: Thu Jan 08, 2004 8:28 am

Post by Shendemiar »

Thanks!

I found a code that removes old sessionfiles, but it didn't make the sessionbase users online counter any more usable, so i wrote it completely the nirmal way using mysql and timestamps and ip's and userid's
Post Reply