how to clean session value from MYSQL when not 'Sign out'

Forum Moderators: coopster

Message Too Old, No Replies

how to clean session value from MYSQL when not 'Sign out'

impact

7:14 am on Apr 18, 2010 (gmt 0)

Hello,

I am making a member site. When some one sign in I get the current session and store it into database.

To secure my site,

Step 1 - on each page I am collecting the session value and comparing it with the value available in the database. If it matches, step 2 takes place other wise user is sent to the login page.

Step 2 - Session is regenerated, database is updated with new session.

Now the problem is that, when some one sign's out I am able to clean the session values and the database but when some one forgets to sign out, the session value remains in the database.

Any idea, how should I go about this?

Thank you for helping a novice!

brotherhood of LAN

7:20 am on Apr 18, 2010 (gmt 0)

You could add a "last page viewed" timestamp in the members table, and if they haven't viewed a page in a long time, sign them out.

impact

7:27 am on Apr 18, 2010 (gmt 0)

Thank you for replying. Can you please elaborate more on this. I have never this before, so wondering how to make it in php!

brotherhood of LAN

7:38 am on Apr 18, 2010 (gmt 0)

- Add a column in your members table, say "lastview" and use an INT unsigned column.

- Every time someone views a page, check that the last page view was not too long ago. Log them out if that'st the case, or update the table with timestamp of that moment and they're still logged in.

Since you'll already be querying the table to validate if someone is logged in, not much changes there, having to update the table with the new timestamp obviously have some overhead but will do the job.

The less overhead way would be to define how long your logged in users cookies should last, i.e. 2 hours... and update the expiration time whenever a new page is loaded while they are logged in.

The drawback of that method is that cookies are client side and could be altered by the client to change the expiry of it.