Session Query

I know that I can amend my PHP.ini for a generic timeout for all sessions, but how can I use PHP to put a timeout againts my sessions if there is no activity for a certain amount of time? I am willing to use cookies if easier.

You can easily use a table in a db and cookies to do this. I'll go over a possible way to implement it below:

1) create a table called session (or whatever) in your db. At minimum it will need to track date/time, and session_id.

2) decide how long you want the session to last.

3) write a function that will delete all rows from the session table that are older than your session timeout value.

4) *always* call the function from number 3 before you do anything with your sessions.

5) in each page where you will want to use sessions, call the function from number 3, and then check to see if a session cookie exists. If the cookie exists, proceed to step 6), otherwise proceed to step 9)

6) select from the session table using the session id stored in the cookie. Make sure you select the timestamp out as part of the select. If the session id exists, the session is still valid and proceed to step 7), if it doesn't proceed to step 10).

7) next, using the timestamp from the session table, compare it to the current time, if it is older than, say 5 mins (you pick a time value), then you delete the row from the database, and reinsert it again. This allows you to keep a session refreshed without deleting on every call if someone is bouncing around pages quickly in your site.

8) write the session cookie back out with the current session id.

9) no cookie existing means no session exists, and so we generate a unique session id and insert that value into the session table with a timestamp and also write a cookie back out.

10) if no entry in the session table exists, the session is invalid or expired (and thus deleted). again we initialize a new session id and insert it with a timestamp into the table and write the session id out as a cookie.

That's a quick overview of one way to do it. There are a few things I glossed over, and really, this model needs to be slightly fleshed out more. For example, what if you can't write out a cookie? Do you deny a session? Probably not. Your best bet is to test to see if you can write a cookie, and if you can't then append the session id to the URL, and so you also have to examine the $_GET scope for session id as well.

HTH!

Cheers,
Keith.

Good idea, but I want to avoid using yet another database table if possible.

Thanks anyway

The prinicple still applies... even if you saved session info in a WDDX packet in a file on the server...

Cheers,
Keith.