[nycphp-talk] Checking active sessions
David Krings
ramons at gmx.net
Thu Apr 26 19:07:29 EDT 2007
Rob Marscher wrote:
>>> Is there any way I can check which sessions are currently active and
>>> which aren't? I like to add some housekeeping code, but taking away
>>> things from active sessions would be just mean.
>
> Check out the documentation for session_set_save_handler --
> http://us.php.net/manual/en/function.session-set-save-handler.php This
> is how you can override the way php handles sessions by default and put
> in your own code. The "gc" function (stands for garbage collection) is
> where the "housekeeping" code goes. Note that the default php session
> handlers should be cleaning up the expired session temp files for you
> automatically. The location for these temp files is specified by the
> session.save_path php.ini setting.
Thanks for the pointer. I misused the term "temp file". What I do is
create a folder that has to be unique and therefore is identical with
the session id. That is not the temp folder that the web server / PHP
creates when starting a session. I called it temp folder because I dump
upload files and other stuff in there in order to do all kinds of things
with it, once done the files are moved to the final resting spot. Since
all this real client server and stateless stuff doesn't let me know when
a client just went away, I have to come up with some way of cleaning up
a bit at some point. When the client goes away right after an upload and
before initiating the final submission, files may be left in there.
While some stale folders and files are OK (although not nice), having
them pile up over time will become a problem. So I need to keep track of
the sessions that were generated through my script in order to ditch
that folder with contents (annoyingly, there seems to be no PHP code
word that does exactly that) when the session is most likely to be
expired (24 hours later for example).
>> My plan is to create a session, authenticate the user, then generate a
>> new session ID for the session )I read that this improves security and
>> is easy enough to do)
>
> As far as regenerating the session id after login, it *is* simple --
> http://us.php.net/manual/en/function.session-regenerate-id.php -- but if
> you're overwriting the default session handler to store sessions in a
> database table, you need to make sure that it's getting updated the way
> you expect.
Well, my idea is to start the session, do the login and authentication,
when the user is accepted, regenerate the session id, and then write it
to the table with a timestamp. I don't see any reason to write the first
session id to the table, because I throw that one away soon after. I
really only want to keep the ids because I want to clean up the folders
that I created.
Sounds like a workable and reliable approach to me...if I'd just had the
time to finally do it. Working with ZIP files at the moment, which go to
that session id folder as well. Still haven't really understood how the
unpacking works and what this new and -> stuff is about, anyhow (OK, I
read too much Bob Pease).
Thanks for the help,
David
More information about the talk
mailing list