5

Possible Duplicate:
How do I expire a PHP session after 30 minutes?

How to detect is a session ID is dead or alive? Lets suppose somebody logged in - a new session is created and I save the session ID. If he logins from another browser, I can determine that he is logged in twice. But how to detect if he logs out?

Community
  • 1
  • 1
John Smith
  • 6,129
  • 12
  • 68
  • 123

5 Answers5

5

What you would need to do is when he logs in to his account on a new browser, find the old sessionID associated with his account and expire it. When he clicks a logout button, you can then retire that sessionID.

EDIT:

Sorry I read your question wrong. What you want to do is set a session timeout so if the timeout is reached, you assume the session is dead and expire it. On each page request, you will renew the expiration so that it is live. If they login from another browser, you can assume the session in the old browser is old, and expire it right off the bat or let it expire with the timeout.

You can then check session timeouts on page load, or run a cron script that will run through the session database and expire all old sessions.

Bot
  • 11,868
  • 11
  • 75
  • 131
  • 1
    What happens if he closes his browser window without logging out properly? – Darin Dimitrov Jun 19 '12 at 15:27
  • 1
    @DarinDimitrov you will detect the new login associated from his account in the new browser then cross check it with your users / sessions table and expire his old session. – Bot Jun 19 '12 at 15:28
  • 1
    Yeap, that's a good approach. – Darin Dimitrov Jun 19 '12 at 15:30
  • 1
    @Computer "find the old sessionID […] and expire it" Why should he do that? This would eliminate the possibility to be logged in with several browsers at a time. – feeela Jun 19 '12 at 15:40
  • 2
    @feeela Sorry, i read his question as only wanting 1 session active. – Bot Jun 19 '12 at 15:43
3

When the user logs in you should set a session variables to say they are logged in.

If the user logs out you should use session_destroy() to end the session.

This way the variable is destroyed, so if you check the session variables it will not be true. I personally use $_SESSION['isLoggedIn'] = TRUE.

Edit to add: If you want this to work on multiple browsers or computers you need to save the logged in or session ID to a database so you can check to see if the user is logged in elsewhere.

ShawnPConroy
  • 239
  • 1
  • 10
3

Generally speaking, the action of "logging in" is usually linked to some kind of persistency layer, usually a user's table/collection in a database server.

Sessions are created using this saved data at login time, and the saved data is serialized in some way into the $_SESSION superglobal.

If you wanted to globally track logins/logouts, you then need to save some ID of the user (usually an email or some login credential) associated with two monotonically increasing integers that represent the number of times they have logged in/out from anywhere.

There's no hard and fast rule that this has to be conducted in a DB, it just scales better. For a small or test case, you could just as easily save paging files.

The main idea is that to have any kind of data that lasts beyond the expiration time for the session_id cookie that references the session on the server, you need to implement some form of persistency.

DeaconDesperado
  • 9,977
  • 9
  • 47
  • 77
3

Use a $_SESSION[] when a user logs in and set the variable to be true. You can save some data in the session variable too if you need. Once user clicks on logout set the session variable to be false. The code could be as follows:

 function Login()
    {
        if(!isset($_SESSION)){ session_start(); }
        if(!$this->CheckLoginInDB($email,$password))
        {
            return false;
        }

        $_SESSION[$this->GetLoginSessionVar()] = $email;

        return true;
    }

function GetLoginSessionVar()
    {
        $retvar = md5($this->rand_key);
        $retvar = 'usr_'.substr($retvar,0,10);
        return $retvar;
    }

    function LogOut()
        {
            session_start();

            $sessionvar = $this->GetLoginSessionVar();

            $_SESSION[$sessionvar]=NULL;

            unset($_SESSION[$sessionvar]);
        }

This is one simple way of doing it. If you want a time out. You can use a start time for your $_SESSION[] variable and then set a time out time. Check for any activity till that time and then sign out like this:

function LogOut(){
session_start();
// set timeout period. This will be in seconds.
$inactive = 1000;
// check to see if $_SESSION['timeout'] is set
if(isset($_SESSION['timeout']) ) {
    $session_life = time() - $_SESSION['start'];
    if($session_life > $inactive)
        { session_destroy(); header("Location: logoutpage.php"); }
}
$_SESSION['timeout'] = time();

}

There could be more better ways of doing this. I am looking for a better way to do it myself . Hope it helps.

So if he closes his browser he will be logged out after inactivity anyway. But if you want logout after browser is closed check ini.session.cookie-lifetime

Maddy
  • 1,233
  • 2
  • 12
  • 20
2

For that you will need to log in youre user table, or switch to storing session in DB then you can check sessions against users (if you set it up that way).

Brian
  • 8,418
  • 2
  • 25
  • 32
  • Just a word of warning for anybody looking to switch their Session to DB - this is significantly slower so is not recommended on a busy server. – Vincent Dec 20 '21 at 17:11
  • However needed if you load balance and one request can be served between servers, only slower if you have a poor infractructure of badly configured architecture. – Brian Jan 19 '22 at 10:58