Page 1 of 1

Sessionfile based users online viewer

Posted: Wed Feb 25, 2004 12:50 pm
by Shendemiar
I made it, but now i'm annoyed by the old sessionfiles. What can i do to get rid the them?

Posted: Wed Feb 25, 2004 2:22 pm
by Shendemiar
Editing sesion lifetime to short and garbage collector to appear at 100% didnt make old sessionfiles dissappear...

And yes, i edited the one in the windows folder (php.ini)

Posted: Wed Feb 25, 2004 3:58 pm
by evilMind
You'll have to setup a script to manually remove them. If not they'll lay around forever (probably...) and you'll run into possible security risks (session hi-jacking.. see http://www.acros.si/papers/session_fixation.pdf for an elaborate in-dept discussion on session handling...)

Posted: Wed Feb 25, 2004 4:00 pm
by evilMind
almost forgot..
check out http://www.devnetwork.net/forums/viewtopic.php?t=14193 for a code snippet

Posted: Wed Feb 25, 2004 5:05 pm
by Shendemiar
evilMind wrote:You'll have to setup a script to manually remove them. If not they'll lay around forever (probably...) and you'll run into possible security risks (session hi-jacking.. see http://www.acros.si/papers/session_fixation.pdf for an elaborate in-dept discussion on session handling...)
Thanks for the links!

Posted: Wed Feb 25, 2004 5:27 pm
by Shendemiar
But why there are over a day old sessionfiles anyway?

Posted: Thu Feb 26, 2004 12:16 am
by evilMind
I'll have to use an example to explain this since I don't think I'll be able to any other way.

Lets say you use php sessions for user authentication and variable crossover (like most do). You're user logs in which causes a session to be established, thus (most likely) creating a session file (default=/tmp/sess_randomString) and sending a cookie to the client to send back so we know what session file to look at for information... When a user clicks the logout button, the file is removed and the cookie is deleted (if it's not session based on an ie client (they don't delete those cookies)). So we have removed the session file and got rid of the cookie. No problems here.

But what about that pesky user that logs in but *never* logs out? Well, the cookie remains until it's time for it to blow up and so does the file. However the file doesn't know when to self-destruct so it just sits there. Which is why you have session files laying around that are >1 day old..


Sorry for the long explanation but it's the only way I knew how to explain why...

Posted: Thu Feb 26, 2004 1:16 pm
by Shendemiar
Thanks!

I found a code that removes old sessionfiles, but it didn't make the sessionbase users online counter any more usable, so i wrote it completely the nirmal way using mysql and timestamps and ip's and userid's