session variable auto-delete?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Deno
Forum Newbie
Posts: 12
Joined: Mon Aug 16, 2004 11:35 am
Location: AB, Canada

session variable auto-delete?

Post by Deno »

I made a backend system for a client which requires her to login with a username and password, and when the user logs in, it creates a session variables, storing the username and password, and when the user click the logout link, it destroys the session variables.

However, if the user just closes the browser, the session variables are STILL stored in the server, which is bad for security IMO, and there's quite a lot of sessions stored in my client's webserver. Is there anyway to get the session to auto-delete or delete it when the user just closes the browser than hits the logout link?

Any help would be appreciated again. :) :? :?:
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

the old session data's are deleted when the garbage collector runs. The default last I saw for php file sessions is 1% probability that it runs.. you can adjust that number up in your php.ini under: session.gc_probability and session.gc_divisor

see :arrow: [php_man]session[/php_man] for details on them..
User avatar
Buddha443556
Forum Regular
Posts: 873
Joined: Fri Mar 19, 2004 1:51 pm

Post by Buddha443556 »

If your using cookies are you destroying the cookie along with the session?

Code: Select all

session_unset();
    session_destroy();
    setcookie( session_name() ,"",0,"/");
Don't destroy the cookie and PHP will create a new session with the same ID as the old cookie. This drove me nuts when I made a custom session handler for MySQL DB.

It's not really a problem though if you use session_regenerate_id() whenever someone logs in. This way no one can plant a session ID on someone's computer and highjack it when they login.
Deno
Forum Newbie
Posts: 12
Joined: Mon Aug 16, 2004 11:35 am
Location: AB, Canada

Post by Deno »

Well, I did place the session_unset and session_destroy in my logout.php code... but, I'm asking if say the user closes the browser window, rather than clicking on the logout link, how can I get the sessions to destroy themselves? because the sessions are still there if the user closes the browser window, and having session variables still on the webserver is bad for security purposes IMO.

Any help would be appreciated. Thanks. :)
Post Reply