Managing PHP sessions and timeouts

I am a beginning PHP programmer with a lot of Classic ASP experience. I am creating a new web app where users login and the login status is controlled with a PHP session. I have this bit of code inserted at the beginning of all my pages, via an include file:

session_start();

if (!isset($_SESSION["user_id"])){
	$user_login=0;
} else {
	if ($_SESSION["user_id"]==""){
		$user_login=0;
	} else {
		$user_login=1;
	}
}

Open in new window


For pages where I don't want non-logged in users to have access, I insert this at the top:

if ($user_login==0){
	header("Location: default.php", true, 303);
	die();
}

Open in new window


That simply bounces them back to the home (login) page if $user_login==0, rather than loading the rest of the page. If they are logged in ($user_login==1), then the page will load.

When the user clicks a "log out" button, I simply call this:

$_SESSION["user_id"]="";

Open in new window


All of that works fine. The odd thing is that my sessions don't seem to timeout. It is my understanding that a PHP session will timeout after 20 minutes of inactivity (similar to an ASP session). However, even after letting my browser window sit idle for over an hour, if I hit "reload", the browser does not redirect backt to the home (login) page.

Is there something I am missing? Also, is the way I am coding sessions in the above examples pretty solid, as far as PHP goes? Would appreciate any advice or critique on what I'm doing.

Thank you.
Brad BansnerWeb DeveloperAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
a PHP session will timeout after 20 minutes of inactivity
That isn't completely true.  While the timeout is 20 minutes, the actual garbage collection on the server that deletes the session data is determined by the session.gc_divisor and session.gc_probability settings in php.ini.  This is done to prevent wasting a lot of time on garbage collection that could slow down a busy server.  http://php.net/manual/en/ini.list.php

Another case is when you are the only one on the server.  The only time garbage collection can run is when the PHP interpreter is called.  If it is never called because you never accessed a page... it never runs.

Note also that if you have any 'background' accesses to the server with AJAX, that resets the timer on every access.  Also if you have a second window open in the same browser to the same site, that will keep it going because the cookies are shared across all windows of a browser.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dave BaldwinFixer of ProblemsCommented:
When you want to end a session, please refer to the example code on this page.  http://php.net/manual/en/function.session-destroy.php
0
Brad BansnerWeb DeveloperAuthor Commented:
Thanks, this is very helpful, and it makes sense due to the way things have been working on this site.
0
Dave BaldwinFixer of ProblemsCommented:
You're welcome.  Sessions aren't all that hard but they are also not what most people expect at first.  The primary reason for sessions is to identify $_SESSION[] data to a particular user.  The timeout is really to clean up old data on the server.  That's why the timeout is not exact.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
PHP

From novice to tech pro — start learning today.