PHP sessions are stored in your servers /tmp directory. Not sure if this varies at all. You can create a custom session handler to store information in a database if you want, but this is not done automatically.

The lifetime of a session is set in your PHP.ini file. I think most shared servers have it set to 15mins, after which time it will expire. If you close your browser after creating a session, the session is automatically terminated. If you are after an alternative to keep you logged in, you need to look at cookies.

dc :)

Be careful with sessions on shared hosting servers.

[webmasterworld.com...]

thanks for the info dreamcatcher. I haven't seen that in any book so far. really useful. Well 15 min is a bit too little time, however its acceptable.

My main concern is the ability to disallow logins by multiple people at a time using the same account. I gues i have to implement that myself however because sessions will not manage that for me.

I was thinking of setting a boolean field called "logged" in the MySQL database and change that to true when someone logs, and back to false again when he logs off. the only thing is what would happen if he closes the browser without logging out. That would log him out.

is there a function that could check if a particular session is expired or not? I could ceate anothe field in the database storing the session hash code, then on his next log-on, check wether the session corresponding to the hashkey is still valid.

Any comments?

Julie

Julie,

Easy way to prevent any kind of session conflict with your users is to set the session variables that are something unique to that particular visitor. Maybe username or e-mail address? Or both. Then query your database based on these variables. As the data is unique, no two users can be the same.

To check whether a session variable already exists, do something like:

if ((isset($_SESSION['username'])) && (isset($_SESSION['email'])))
{
return true;
}
else
{
return false;
}

The length of sessions can be modified with

session_cache_expire() [be2.php.net]

; you might also be able to set this a bit more globally in php.ini or in an htaccess file, check the page on

ini_set()

and you can see all the nice configuration values. (found it - here [be2.php.net]). I believe default is 180 minutes.

One way to do what you're asking, which will have a fairly big drawback: you'll want to have a field in this same row of your db 'last_access' which is updated with each pageview, and shows the last access date/time of the user. When a user tries to log in, if the field shows the user to be logged out, or the last_access shows that the session would be expired, the user is allowed to log in. Drawback: if they've nuked their cookies, or are url-based sessions, and try to log back in inside this session expire time, they get a message that they won't be able to log in for x minutes, and some might get irritated. However, if security is important, a little irritation is relatively trivial.

what did you mean by the "session conflict" here dreamcatcher? Does it have to do with not allowing 2 users logging-in simultaneously with the same account?

Julie

Thats right Julie. If for example two visitors can have the same username, this could mean that when one user updates something, it could affect the other users account. You can use the LIMIT clause in mysql to affect only one row, but that still doesn`t mean it would be the correct one.

It all depends how you syntax your code. So long as you are pulling data based on something unique you should have no problems. On my own site that I am not redesigning, email and usernames are unique so no two users can have the same ones. Then I just query the database based on these two values.

yes exactly.. you always have to match data across some unique field, like the email address.

I also was thnking about the PHP certification that is now being offered by ZEND. what do ou think?

julie