Page 1 of 1

session variable auto-delete?

Posted: Thu Aug 19, 2004 1:05 pm
by Deno
I made a backend system for a client which requires her to login with a username and password, and when the user logs in, it creates a session variables, storing the username and password, and when the user click the logout link, it destroys the session variables.

However, if the user just closes the browser, the session variables are STILL stored in the server, which is bad for security IMO, and there's quite a lot of sessions stored in my client's webserver. Is there anyway to get the session to auto-delete or delete it when the user just closes the browser than hits the logout link?

Any help would be appreciated again. :) :? :?:

Posted: Thu Aug 19, 2004 1:10 pm
by feyd
the old session data's are deleted when the garbage collector runs. The default last I saw for php file sessions is 1% probability that it runs.. you can adjust that number up in your php.ini under: session.gc_probability and session.gc_divisor

see :arrow: [php_man]session[/php_man] for details on them..

Posted: Thu Aug 19, 2004 4:52 pm
by Buddha443556
If your using cookies are you destroying the cookie along with the session?

Code: Select all

session_unset();
    session_destroy();
    setcookie( session_name() ,"",0,"/");
Don't destroy the cookie and PHP will create a new session with the same ID as the old cookie. This drove me nuts when I made a custom session handler for MySQL DB.

It's not really a problem though if you use session_regenerate_id() whenever someone logs in. This way no one can plant a session ID on someone's computer and highjack it when they login.

Posted: Fri Aug 20, 2004 11:48 am
by Deno
Well, I did place the session_unset and session_destroy in my logout.php code... but, I'm asking if say the user closes the browser window, rather than clicking on the logout link, how can I get the sessions to destroy themselves? because the sessions are still there if the user closes the browser window, and having session variables still on the webserver is bad for security purposes IMO.

Any help would be appreciated. Thanks. :)