• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 57
  • Last Modified:

Managing PHP sessions and timeouts

I am a beginning PHP programmer with a lot of Classic ASP experience. I am creating a new web app where users login and the login status is controlled with a PHP session. I have this bit of code inserted at the beginning of all my pages, via an include file:

session_start();

if (!isset($_SESSION["user_id"])){
	$user_login=0;
} else {
	if ($_SESSION["user_id"]==""){
		$user_login=0;
	} else {
		$user_login=1;
	}
}

Open in new window


For pages where I don't want non-logged in users to have access, I insert this at the top:

if ($user_login==0){
	header("Location: default.php", true, 303);
	die();
}

Open in new window


That simply bounces them back to the home (login) page if $user_login==0, rather than loading the rest of the page. If they are logged in ($user_login==1), then the page will load.

When the user clicks a "log out" button, I simply call this:

$_SESSION["user_id"]="";

Open in new window


All of that works fine. The odd thing is that my sessions don't seem to timeout. It is my understanding that a PHP session will timeout after 20 minutes of inactivity (similar to an ASP session). However, even after letting my browser window sit idle for over an hour, if I hit "reload", the browser does not redirect backt to the home (login) page.

Is there something I am missing? Also, is the way I am coding sessions in the above examples pretty solid, as far as PHP goes? Would appreciate any advice or critique on what I'm doing.

Thank you.
0
Brad Bansner
Asked:
Brad Bansner
  • 3
1 Solution
 
Dave BaldwinFixer of ProblemsCommented:
a PHP session will timeout after 20 minutes of inactivity
That isn't completely true.  While the timeout is 20 minutes, the actual garbage collection on the server that deletes the session data is determined by the session.gc_divisor and session.gc_probability settings in php.ini.  This is done to prevent wasting a lot of time on garbage collection that could slow down a busy server.  http://php.net/manual/en/ini.list.php

Another case is when you are the only one on the server.  The only time garbage collection can run is when the PHP interpreter is called.  If it is never called because you never accessed a page... it never runs.

Note also that if you have any 'background' accesses to the server with AJAX, that resets the timer on every access.  Also if you have a second window open in the same browser to the same site, that will keep it going because the cookies are shared across all windows of a browser.
0
 
Dave BaldwinFixer of ProblemsCommented:
When you want to end a session, please refer to the example code on this page.  http://php.net/manual/en/function.session-destroy.php
0
 
Brad BansnerWeb DeveloperAuthor Commented:
Thanks, this is very helpful, and it makes sense due to the way things have been working on this site.
0
 
Dave BaldwinFixer of ProblemsCommented:
You're welcome.  Sessions aren't all that hard but they are also not what most people expect at first.  The primary reason for sessions is to identify $_SESSION[] data to a particular user.  The timeout is really to clean up old data on the server.  That's why the timeout is not exact.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now