PHP session management

Forum Moderators: coopster

Message Too Old, No Replies

PHP session management

How to check if session has expired?

pacpac

7:03 am on Sep 27, 2008 (gmt 0)

I'm new to PHP and learning PHP session management all by myself.
I'm writing a code wherein the administrator logs-in and does some tasks like view reports / delete users / file downloads etc. But meanwhile if his session gets over, he should again be redirected to the log-in page.
My question is how to check if his session has expired while he is busy with his admin-tasks? Is there any way to check this in background using
some background processes or something similar?
I've gone through a lot of forums and tutorials describing the sessions, cookies, $_SESSION superglobal array, PHPSESSID. But a few things are still confusing.
Can anyone elaborate on this?
Thanks.

cameraman

7:58 pm on Sep 27, 2008 (gmt 0)

Welcome to Webmaster World, pacpac.

As long as the administrator is interacting with the web site, the session stays alive; it will only expire when there's a lapse in interaction that's longer than the session lifetime.

When someone's session has expired, you won't see the variables that you set in $_SESSION, just like someone who's newly arrived at the web site. If you're checking, say, $_SESSION['admin'] on your admin page to decide whether or not to show them the page, $_SESSION['admin'] will disappear if the session has expired.

pacpac

3:58 am on Sep 29, 2008 (gmt 0)

Thanks cameraman for the welcome.
"When someone's session has expired, you won't see the variables that you set in $_SESSION" ... That's correct.
But, as a coder, to put it more precisely --->
When certain conditions are met (mainly when the time limit is reached), I will destroy the session in my code. I'm not sure which variables to check and when to destroy the session.

hal12b

5:48 pm on Sep 29, 2008 (gmt 0)

I would check to see if the session is equal to your value. If it is, do nothing, if it isn't redirect the user to a login page? I'm fairly new to PHP too, but this is what I did in the past for ASP pages.

grallis

6:35 pm on Sep 29, 2008 (gmt 0)

pacpac, so you're looking to destroy the session in your code before php's session limit is up? If you'd like, a more efficient way, if you have access to your php.ini or your host an change it for you is, to lower the session time limit right in php, that way, you don't have to use extra code and a possible cron job to destroy the sessions.

pacpac

3:45 am on Sep 30, 2008 (gmt 0)

That's right, grallis. I wish to set my own session duration and I would destroy the session when that limit is reached irrespective of the default PHP session limit.

"a more efficient way, if you have access to your php.ini or your host can change it for you is, to lower the session time limit right in php, that way, you don't have to use extra code and a possible cron job to destroy the sessions. "--->

Do you want to say that if I manage to modify php.ini for the session limit, the session-expire will be automatically checked? If that is the case, then, how would PHP decide where to redirect the control? Or, is there any variable (boolean, probably) which will tell me whether a session is still on or expired so that when its value is 'false' or '0', I will redirect the administrator to the log-in page?

grallis

5:02 am on Sep 30, 2008 (gmt 0)

Sorry, perhaps I misunderstood your question. I thought you were wanting to check the duration of the session manually(to shorten it), and destroy it if necessary.

I'll go on the premise that you're new to php as you've stated and give it a once over, so bear with me, I'm not trying to insinuate you dont know some basics.

Changing the session time limit in the php.ini will only shorten the amount of time the session can sit idle.

In your code, at the top of the page, you'd still have to validate to see if the user has the proper permissions to access the page.

Proper permissions in our case using the $_SESSION array means setting certain $_SESSION['keys'] = "and assigning them values";. If something to the effect of:


if(!isset($_SESSION['keys'])){
// redirect
}

turns out to be false, the user's session has expired, or the user did not have a session to begin with ... therefore they are not granted access to access the page.

So, to put this altogether, at the top of your page, before you output any HTML(because that's how session_start() works), you need to add this:


<?// need this for a session to work
// This checks to see if you have any current sessions, and 
// basically *attaches* you to it if you have one. If you don't have
// a current session, it assigns you a session id
[b]session_start();[/b]?>

Now ... directly below that session start, you'll want to validate a session:


<?
// we'll test for the existence of a $_SESSION variable
if(!isset($_SESSION['user'])){
 // redirect out
 header("Location: login.php");
 die(); // need this, or the rest of the script executes
}
?>

Now, if your php.ini session limit is set to say 45 minutes, after 45 minutes of inactivity, it will automatically kill your session, and when you come back to click around, it will get to the part above and redirect you somewhere friendlier like "login.php" because your session variables are not there.

**********************************************************
General workings of a PHP Session
**********************************************************
1. You connect to a webpage with PHP
2. That webpage has the session_start(); code at the top
3. An if statement kind of happens next:

PHP checks your client-side cookies to see if you have a cookie for that domain, which has a session id that matches a session_id in it's current sessions list

If you don't have a session id set, it creates one, and creates a blank cookie file(it's an actual flat file named with your session id) on the server-side.

Now if you pass session validation, it populates your line in your PHP session file with all the variables that you set via $_SESSION['user'] = "Jim";

If you have a session file set already, it knows that you have passed validation(therefore the $_SESSION array is intact the way you had set it upon validation) and the user is granted access to the page.

I'm tired, so I hope this helps you understand PHP sessions a little better.

pacpac

4:51 pm on Sep 30, 2008 (gmt 0)

Thanks, grallis. I really have to (and wish to) know the basics of PHP sessions.
Now, back to business ...
Your post has certainly helped me to understand PHP sessions somewhat better. If you can continue with your kind help, can you tell me the difference between session_expire and session_cache_expire?

pacpac

5:16 pm on Sep 30, 2008 (gmt 0)

Actually, I wanted to ask ---
What is the difference between session.gc_maxlifetime and session_cache_expire?

grallis

5:53 pm on Sep 30, 2008 (gmt 0)

Now you've got me. I haven't worked with my php.ini file in some time, but I do know that session.gc_maxlifetime is the variable you most likely want to change to adjust your session lifetime. The "GC" stands for "Garbage Collector". Most languages have a Garbage Collector of sorts ... in this case, the garbage collector kills the session after x time because it's viewed as old and is now considered to be garbage.

As for session_cache_expire ... I've never had to change or deal with that. It has to deal with the time to live for cached pages. I would leave it alone unless you can't get the results you want.

Another way to kill a session before PHP does is to set a time in seconds upon each page access in a session variable. Now take the current time in seconds, subtract it by the last page access time you set in the $_SESSION array and if the difference is greater than your custom max session seconds(whic yo uset in a variable), kill the session. When the session validation check happens directly below, it will kick them to the login page.

I do something similar on one of my sites to see which other users are online.